Verizon Says Hactivists Now Biggest Corporate Net Threat 150
alphadogg writes "Hactivists — not cybercriminals — were responsible for the majority of personal data stolen from corporate and government networks during 2011, according to a new report from Verizon. The Verizon 2012 Data Breach Investigation Report found that 58% of data stolen in 2011 was the result of hactivism, which involves computer break-ins for political rather than commercial gain. In previous years, most hacking was carried out by criminals, Verizon said. Altogether, Verizon examined 855 cybersecurity incidents worldwide that involved 174 million compromised records. This is the largest data set that Verizon has ever examined, thanks to its cooperation with law enforcement groups including the U.S. Secret Service, the Dutch National High Tech Crime Unit and police forces from Australia, Ireland and London."
Welcome in the real world (Score:5, Insightful)
where you need real technicians!
Re: (Score:1)
Yep. Security measures should be valid regardless of the motivation of the attackers. Unless of course you can get to shoot the attackers, in which case it really does matter they're activists.
Re:Welcome in the real world (Score:5, Insightful)
Most companies have coasted by with bad security practices, now they have to up their game. Boo f'n hoo.
CEOs tell us "sucks to be you, suck it up" when it comes to their monopolies. I say the same thing back at them. Actually employee decent programmer, engineers, admins, and managers. Quality > Quantity?!
Re:Welcome in the real world (Score:5, Insightful)
The trend over the last 10 years in software development has been labor minimization, offshoring, "just meet the specs" mentality.
Now a lot of companies are getting bitten in the rear in return for the supposed "savings" they realized over the years. Think your $1500 a year software engineers in Bangalore are going to be able to handle this...? Communication is difficult with them even when you have well defined specs - let alone when the engineer needs to be aware of current events and think of unspecified scenarios themselves.
I think a lot of corporations are going to find out that IT staff is not dispensable in the way that, say, payroll staff became in the 1990s.
Re: (Score:2)
It's not just bad corporate policies. It's the entire commercial security industry as well:
http://blog.cryptographyengineering.com/2012/03/why-antisec-matters.html [cryptograp...eering.com]
hacktivists == cybercriminals (Score:5, Insightful)
Re: (Score:2)
there's a difference between hacktivists and cybercriminals? sounds like a false distinction to me.
I think it is meant to distinguish between motives. Cybercriminals are doing it to make money. Hacktivists are doing it because they are pissed off.
Re: (Score:2)
I think the distinction here is one of ego. Criminals are just seeking to masquerade their activity behind an illusion of activism. Rather than being seen as petty criminals they want to be seen as activist.
Right now the government is blatantly letting that lie slide on through, is a slimy shit eating way of making political protest criminal.
Truth here is the bulk of computer hacking is done by;
petty criminals, including spammers, credit fraud (no such thing as identity theft, just a corporate lie to
Hactivists == cybercriminals (Score:5, Insightful)
Re:Hactivists == cybercriminals (Score:5, Funny)
Criminal. People who stick "cyber" in front of things because the innerwebs are involved need to be slapped.
Re:Hactivists == cybercriminals (Score:4, Funny)
Surely you mean cyberslap [bash.org] them. Cyberhard, right into cyberteeth.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Insightful)
They're separating out based on motivation.
Re: (Score:3)
They're separating out based on motivation.
I saw that... and that IS playing with words. In this case, a criminal is a criminal regardless of motivation.
Re: (Score:1)
Re: (Score:2)
But the motivation determines if it is a crime in the first place.
Kill someone with malice, got to prison, kill someone in self defense, no prob.
Re:Hactivists == cybercriminals (Score:4, Insightful)
But the motivation determines if it is a crime in the first place.
Kill someone with malice, got to prison, kill someone in self defense, no prob.
I don't think this article was talking about homicide.
What motivation would make it legal to hack a government or corporate system and stealing personal data?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
But in that case the intention/motivation/circumstances make a difference between being a criminal and not. In this case, both groups are criminals, the intention is irrelevant... at least, under English law, which is all I really know anything about.
The BBC's headline [bbc.co.uk] was particularly silly in this regard: "Data theft: Hacktivists 'steal more than criminals'" - as the BBC of all news groups should have someone available to point out that it's not stealing, and that hacktivists are criminals.
Of course, the
Re: (Score:3)
But aside from all of that, how the hell do they even know exactly what the motivation was? Just because the intruder said so? Just because nothing bad happened immediately?
BTW, does anyone have the contact number of the people who made this determination? I have a really nice bridge I'd like to sell them.
Much as I like the idea of cyber Robin Hoods, you still gotta call them what they are.
Re: (Score:3)
Re:Hactivists == cybercriminals (Score:4, Interesting)
Re: (Score:2, Insightful)
Anyone stealing personal data is a "cybercriminal". Sounds like they are playing with words.
Not from the perspective of the larger companies/governments.
While the actual action is similiar enough the result is vastly different.
The main objective for a "cybercriminal" is to steal customer information. The end result is that the customer gets screwed over and the company gets some bad publicity that they have to deal with.
Hacktivists on the other hand tends to look for indications that the company/government does anything illegal. This causes damage that isn't as easily passed down on the taxpayer/c
Re:Hactivists == cybercriminals (Score:4, Insightful)
Re: (Score:2)
Agreed. It's weird how the article tries to spin them as separate things. "Most cybercrime now politically motivated" would have made for a more accurate headline.
One important differnce is that the "hackitivists" will tell you they did it as shaming the target is generally part of the plan. Real for-profit criminals will keep their mouths shut because they would like to do it again and not talking about it helps with that.
So, in and of itself, I think that's going to skew the numbers because what is really under discussion here are the number of cases of detected attacks, not total attacks.
No (Score:2)
Re:Hactivists == cybercriminals (Score:5, Insightful)
As others have said, the distinction is motive.
There is also a distinction in the damages.
If I steal a million debit card numbers for greed, I'm going to try to cover my tracks and exploit the cards for profit. There will be tens of thousands of individuals who will suffer direct financial harm as I drain their bank accounts. Even those "made whole" by the banks will still suffer embarrassment. Their banks are also victims. Only when it is traced to the company I stole the data from do they realize they are a victim.
If I do it for lulz, like "The Joker" on Batman, there's no telling who will be the immediate victim. Will I publicize it to embarrass the banks? Will I order adult-novelty products on the credit cards and send them to the card-owners and watch the fallout on national TV? Who knows.
If I do it as an "activist" I'm probably only interested in hurting the company, not the cardholders. Yes, the cardholders will suffer collateral emotional damage and some will spend time or money trying to protect themselves in case I'm also motivated by greed, but the intended victim is the company I stole the data from.
Of course, I may be targeting a third party such as a security vendor by directly attacking its corporate customers, or I may attack a government by attacking those who support it. But in each case, the owners of the bank card numbers I steal aren't going to have their bank accounts drained. Unless of course I have a little greed or I'm careless and let the numbers fall into the hands of someone who is greedy.
Re: (Score:3)
Yes, the cardholders will suffer collateral emotional damage and some will spend time or money trying to protect themselves in case I'm also motivated by greed, but the intended victim is the company I stole the data from.
You mention "collateral damage" so casually.
Collateral damage to innocents is usually vilified by the /. crowd when it comes about by the actions of corporations and governments/military/police, yet when a "distinction" is made for "activists" of some sort, suddenly it's not as bad, because "the intended victim is the company I stole the data from".
Bullshit. If someone is hell-bent on tilting at some windmill... sure, a villain to them, but maybe not so much to an otherwise innocent bystander... and they
Re: (Score:1)
sobu or whatever his name is from anonymous rang up $70k in stolen CC charges. activist or criminal?
I assume you mean hactivist or greed-motivated (whether criminal or not is a matter for the courts to decide).
Possibly both?
Re: (Score:2)
I think you may have a couple wires crossed here. It isn't that the media wants you to believe that "Activists" are purely good.
"Good" activists are either venerated and deified or if their cause really wasn't attractive to the people who came after them they are passively forgotten.
"Bad" activists end up as either "heads on the pike" and become a symbol of what we tell our children to actively seek and stop or they are actively forgotten; basically the cultural version of burning the body and scattering th
Re: (Score:3)
So basically, LIES, DAMN LIES!
,and statistics [wikipedia.org].
I could go to homeless shelter. Ask every person there if they are homeless. Then post my statistics that homelessness has reached 100%. In microscopic print I "might" add "at homeless shelters".
What's funny is when political pollsters pull these pranks and still only manage to scrounge up forty percent and change support for their candidate.
Which is then used for criminal activity (Score:2)
Re: (Score:3)
Depends. If the hacktivists make the hack public and hence I know about my CC being stolen before it can be abused, I can react. Plus, my bank has no way to play dumb and pretend it was my fault that my CC number got abused.
So yes, the average hacktivist is less of a threat to me than the average for-profit hacker.
Re: (Score:2)
usually the data was available for criminal activity already.
hactivists just tend to publish their exploits on the high seas and share their plunder. usually that means that the hole gets plugged.
Bad analysis (Score:5, Insightful)
The truth is that hactivisism alone is not a sufficient cause of corporate data breaches. A variety of issues come into play: corporate laxity in IT, a preference for fast deployment of services over careful security scrutiny, absence of strong legal consequences against corporations for permitting data breaches, programming languages/environments that make it easy to deploy vulnerable services, lack of fine-grained data permissions at the hardware/network/OS level, etc.
Remove any one of those factors, and the rate of data breaches would likely go down significantly. I'm not sure where Verizon gets off picking just one of them.
Re: (Score:1)
I'm not sure where Verizon gets off picking just one of them.
Probably because all of the other things you mentioned are a pain for Verizon. They'd have to implement more stringent IT practices, defer speed and convenience for security, abide by new laws and generally put more effort into how they handle data. But Hactivism? No, that's the result of Other People doing Naughty Things, so don't look at us. Preventing this sort of thing is the FBI's problem, not ours. When we lose customer data it's all the fault of the hactivists doing things they shouldn't, nothin
the FBI hacked Stratfor. not anonymous (Score:2)
the hack of stratfor was aided and abedded by the FBI. they provided the servers to store the data. they 'flipped' Sabu. they were monitoring him the whole time he was running the anonymous hacks of various companies. the FBI just stood by while they did it.
the FBI is responsible here. it went too far.
Re: (Score:2)
None of the things you listed are 'causes' of data breaches. They are things that can be tightened up to help prevent breaches, but they are in no way causes. The cause, in nearly every case, is someone trying to get at something they have no right to.
Well gee... (Score:5, Insightful)
What goes around comes around...
Re:Well gee... (Score:5, Insightful)
We shouldn't support criminals just because they target people we don't like. Effectively that is saying that rights and protection should be applied only to those we favor in a given moment.
And in some of these cases, passwords, credit cards and personal data was leaked publicly. So the customers are the ones suffering more than companies like Verizon.
They might be criminal, but they are NOT threat (Score:4, Insightful)
When downloading or uploading information or cracking copy protection can ruin your life worse than committing grand theft or murder, I consider that action immoral and unjust. And I will consider any corporation supporting & pushing this kind of legislation a valid target.
While I agree that unlawful implies criminal, lawful doesn't necessarily mean right, and unlawful doesn't necessarily mean wrong. These days the laws are broken mess, and even when they aren't only the rich can afford to defend themselves, rendering justice system broken.
--Coder
Re: (Score:3)
Do you remember the Oklahoma City bombing?
The terrorists in question disagreed with the federal government. They felt that the only way to enact change was to break the law. So they murdered innocent civilians, including toddlers in the daycare.
The families of the victims were unhappy with the federal government and how the death penalty was applied in federal cases. So they wrote a law. They traveled to Washington D.C. and testified before Congress. They got their law passed less than a year after the atta
Re: (Score:2)
And I don't have the ability to make changes within the system. I'm not an American nor am I living in USA, but laws dictated by US corporations get pushed down our throats all the time. Even if I were, lobbying & greed would triumph most of the time anyway.
--Coder
Re: (Score:2)
You'll note that people like Rosa Parks didn't victimize others in her peaceful protest because she didn't have civil rights.
Stealing credit card info and releasing it publicly because you don't like a company isn't the same. Don't for a moment pretend they are.
Ok, I agree on that (Score:2)
I would probably stick to defacing websites or stealing internal documents or emails of executives or similar if I were a hacktivist. Anyway, it was nice having this discussio
Re: (Score:1)
In theory laws are a tool to facilitate justice, and many of our rulers have abandoned that principal so long ago that now they're even abandoning the illusion. To quote Frederic Bastiat: "The safest way to make laws respected is to make them respectable. When law and morality contradict each other, the citizen has the cruel alternative of either losing his moral sense or losing his respect for the law." While I'd rather not have to choose, I'm far more comfortable retaining my sense of mor
Re: (Score:2)
Pro-lifers consider abortions to be "immoral and unjust". Indeed, from their point of view, abortions are equivalent to the murder of over a million infants every year, which (if they were right) I'm sure you would agree is much worse than a billion dollar fine for downloading an MP3. So by your logic, they are completely justified in treating abortion doctors and clinics as "valid targets".
If you think only people you agree with deserve the protection of law, then you are far worse than any of the villai
Re: (Score:3)
We shouldn't support criminals just because they target people we don't like.
Exactly. That's why Robin Hood is unpopular and almost no one knows about him now and why he was universally hated in his own time.
Re: (Score:2)
Before Robin Hood you had financial inequality. Then Robin Hood robs from the rich to give to the poor. This provokes the ruling class, and in the end a lot of people die. Clearly this is a fine example of how criminal activity made people's lives better.
In most variations of the story, King Richard eventually comes home from the Crusades and resumes his just rule, which he would have done regardless. All Robin Hood did was get a lot of poor people killed.
Re: (Score:2)
I'm not applying the story of Robin Hood to a larger scale. The poster above me did. I'm examining Robin Hood as a specific case.
In that case, Robin Hood was not needed to remove an unjust government as King Richard was coming home either way. The end result is that Robin Hood got a lot of people killed. If he hadn't done anything, people would have been better off eventually.
Re: (Score:2)
Re: (Score:2)
Agreed. And one of the ways they do this is by showing a severe lack of concern for their customers' security. For example, as far as I can find, there is no way to log on to the Verizon.com web site from a HTTPS: page. There used to be, but they removed it. Maybe they should evaluate their own security....
#1 threat (Score:3, Insightful)
Maybe the number one threat is acting like a douche. How many large, successful companies are targetted when they don't act like that? Hey Sony, get a clue.
Re: (Score:1)
Re: (Score:2)
Annnddd... they're not very wrong.
Re: (Score:2)
Every fucking one of them is targeted. Ask any CISO what keeps them up at night.
Crime is crime (Score:5, Insightful)
This is a really dangerous distinction. Crime is crime. Politically motivated crime is - what? Terrorism? I don't like where this is going.
Re:Crime is crime (Score:5, Insightful)
I think the point is that hacktivism occurs mostly because of unethical behavior of the target companies, not because they have generally weak security or valuable data. Therefore, companies can avoid being targets of hacktivism more by avoiding unethical behavior, rather than spending millions to beef up their security.
You can't legislate ethics (Score:2)
What is ethical and what is legal are very different things. Companies are really only required to follow what is legal. However, it is normally in their best interests to act ethically as well -- but we don't require, as a matter of law, peo
Re: (Score:3)
No justice quite like angry mob justice!
Re: (Score:1)
It's not hactivists that are a threat to the net. It's the corporations and government agencies that the hactivists target that are the real threat.
Re: (Score:2)
This might be so in certain cases and not in others. I would say some go after any company that is large. In fact Verizon has so many people working for them, there is no way customer relations and going to be good. Maybe they ought to hire more people that actually know what they are doing and much less that don't.
Re: (Score:2)
I think the point is that hacktivism occurs mostly because of unethical behavior of the target companies, not because they have generally weak security or valuable data. Therefore, companies can avoid being targets of hacktivism more by avoiding unethical behavior, rather than spending millions to beef up their security.
you know that's mostly bullshit. besides, doesn't help that it's unethical to have your customer records easily accessible by spammers and when exploits are carpet bombed over ip ranges.. it's just shit luck. of course if you have unethical operation going on then it's more likely there's something juicy there. they should try to be reasonably secure regardless, it doesn't have to cost millions.
hacktivism occurs mostly because it can. and it gets noticed because hacktivists want that. thus, it's easier to g
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Civil disobedience (a form of activism) is also a crime, yet often we hold people who do it in high regard. Sometimes civil disobedience is acclaimed moral courage.
Now I'm not saying we can group hacktivism in with civil disobedience. But in many cases I don't think that it would be a stretch.
The issue of of motive is critical. When we speak of criminals we usually mean people who did something illegal for personal gain at the expense of another. But if someone did something illegal in defense of the co
No, its not the biggest threat (Score:1)
The federal government is.
Re: (Score:2)
The very same federal government that can't figure out a conversation between two RPG players planning a raid in a game of cyberpunk not being real, despite the weapons being mentioned being invented in 2018?
Re: (Score:2)
Incompetence does not have to equate to threat level.
Re: (Score:2)
No, the corporations that own the federal government are more of a threat.
Well, if corporations and other wealthy interests seek to control the powers of government as they always have and always will seek to do, then why the hell are we sweetening the pot for them by making the target (government) an even juicier plum for those interests by making it larger and more powerful, with ever-growing control over the behavior of common citizens, and controlling ever-growing percentage of the nation's wealth, and with even deeper levels of bureaucratic obfuscation in which to hide bad d
And 20 years ago... (Score:1)
... most data was probably stolen for the lulz.
My how times have changed.
Good practices (Score:2)
Activism is more visible (Score:5, Insightful)
When you are hacked by an activist, they will make sure that you and the rest of the world know about it. Criminals, on the other hand, try to be as subtle as possible. Some victims might not even realize that they have been breached, and even if they do it's much easier to cover up. I don't think activism surpasses crime, it's just much more visible.
Re: (Score:2)
Bullshit. (Score:1, Insightful)
"Hacktavists" are just a highly visible boogeyman. Useful for scaring white people that watch network news and the politicians that cull their votes.
Visible, but hardly a blip compared to the massive spam, fraud, phishing, trojan, and malware ops that the real blackhats run. These things are complex and deep and ever present, so they're useless for scaremongers.
Want a real data set that will turn up evidence of massive economic fraud? Get ahold of Verizon's billing data.
Easy to protect against (Score:5, Insightful)
Well, good thing then, that it's easy to protect yourself against hacktivists. Just stop being dicks.
Re: (Score:2)
Telling a manager to stop being a dick is like telling a techie to wear tie and suit. It just won't happen in this universe.
Re: (Score:1)
A big problem with that. That's in the eye of the beholder.
Re: (Score:2)
Of course. So is crime. Thus we form a consensus to decide what is and what is not a crime - but it is nontheless "in the eye of the beholder".
Hacktivists act because they feel that the laws, for whatever reason, are either unjust, insufficient or not thoroughly enforced. It is the means they have available - others have other means open to them, such as bribing/tricking law makers to make absurd laws, or governments to invade other countries on false premises. I have a hard time arguing that the former are
Wait, hold on! (Score:1)
So people who breach poorly executed and even more poorly planned security are the greatest threat to security on the net? Methinks it's the corporations who would rather spend more on propaganda than proper security that are the problem here, the "hacktivists" just point it out.
A cow's opinion (Score:1)
No way is Verizon the Biggest Corporate Threat. (Score:1)
Hactivists? (Score:1)
Verizon Says [crappy internal security] Now Biggest Corporate Net Threat
There.. I fixed it for you.
or actually, the BIGGEST corporate net threat (Score:1)
is actually unsecured and improperly managed networks run by corporations that collection too much information on us. There, fixed that...
there, corrected that for you (Score:1)
Hacktivists Say Verizon Now Biggest Corporate Net Threat
It's pretty much the same. (Score:2)
Hacktivists are motivated by politics which is motivated by money. So I don't see the difference. I wonder what Google's figures are?
Takes one to know one, I guess (Score:1)
Sony - probably skewed the results (Score:2)
Considering the largest breach of 2011 happened to be Sony (started with Playstation Network, spread through to other Sony sites), it's hard to tell if this is the case. After all, Anonymous and Lulzsec kept breaking into other Sony sites All in all, Sony lost probably close to 150M customer records....
I would call that hackivism since it was meant more to embarass Sony over their lack of security.
How reliable is this data? (Score:3)
hacktivists, by definition, will publicize their break-ins so you can be sure they will be counted.
Common thieves and governmental spies (chinese, russians, etc.) on the other hand, might never be discovered if their level of competence is superior to that of the security administrators of a company.
Therefore, the statistics offered are very dubious and I would not be surprised if they are completely and spectacularly wrong.
"Hactivists" aren't criminals? (Score:1)
They must be fighting it... (Score:2)
Because my Verizon iPhone has NO data on their 3G network anywhere near down town.
Meanwhile... (Score:3)
The Legion of Doom Says Superheroes Now Bigges Business Threat.
Re: (Score:2, Insightful)
Easier definition:
Terrorist: Someone who doesn't agree with you, wants to go to war with you but lacks the funds for a big enough army to actually call it a war.
Criminal: Someone who does something against the interests of society but lacks the money to change the laws accordingly, or someone who does something against the interests of those that have the money to change the laws.
Re: (Score:2)
Fun science fact: the word "cracktivism" sounds even sillier than "hacktivism."
That being said, the label "hacktivist" has only been applied thus far to groups like LulzSec who trespass on others' computers to make a point; the others are just tech-savvy activists. I'm afraid your hopeful alternative is just a unicorn.
Re: (Score:2)
Re: (Score:2)
Re:Verizon is credible???? (Score:5, Insightful)
Indeed... especially in this case.
Think about how the data was generated: the data comes from reported incidents of network compromise.
EVERY hacktivist compromise will be reported by the victim, as the hactivist group has already reported it and they have a responsibility to disclose such things.
I'd bet that most intrusions and data extractions conducted by other groups (organized crime, government special ops, industrial espionage) are never reported to Verizon, therefore they wouldn't show up in the statistics. For that matter, most of these intrusions likely go completely unnoticed. Considering we've just been finding out in the last year about intrusions that have been ongoing for TEN YEARS, who's to say how many like these are still in the "unreported" category?
Without all the rhetoric, Verizon's study is really saying that intrusions reported for political reasons are more highly reported than those that both the intruder and the victim have no desire to make public. Any other conclusions involve too much conjecture (on the same level as the RIAA losing billions to piracy) unless more data is provided.