Verizon Says Hactivists Now Biggest Corporate Net Threat 150
alphadogg writes "Hactivists — not cybercriminals — were responsible for the majority of personal data stolen from corporate and government networks during 2011, according to a new report from Verizon. The Verizon 2012 Data Breach Investigation Report found that 58% of data stolen in 2011 was the result of hactivism, which involves computer break-ins for political rather than commercial gain. In previous years, most hacking was carried out by criminals, Verizon said. Altogether, Verizon examined 855 cybersecurity incidents worldwide that involved 174 million compromised records. This is the largest data set that Verizon has ever examined, thanks to its cooperation with law enforcement groups including the U.S. Secret Service, the Dutch National High Tech Crime Unit and police forces from Australia, Ireland and London."
Welcome in the real world (Score:5, Insightful)
where you need real technicians!
Hactivists == cybercriminals (Score:5, Insightful)
Bad analysis (Score:5, Insightful)
The truth is that hactivisism alone is not a sufficient cause of corporate data breaches. A variety of issues come into play: corporate laxity in IT, a preference for fast deployment of services over careful security scrutiny, absence of strong legal consequences against corporations for permitting data breaches, programming languages/environments that make it easy to deploy vulnerable services, lack of fine-grained data permissions at the hardware/network/OS level, etc.
Remove any one of those factors, and the rate of data breaches would likely go down significantly. I'm not sure where Verizon gets off picking just one of them.
Well gee... (Score:5, Insightful)
What goes around comes around...
#1 threat (Score:3, Insightful)
Maybe the number one threat is acting like a douche. How many large, successful companies are targetted when they don't act like that? Hey Sony, get a clue.
Crime is crime (Score:5, Insightful)
This is a really dangerous distinction. Crime is crime. Politically motivated crime is - what? Terrorism? I don't like where this is going.
Re:Hactivists == cybercriminals (Score:2, Insightful)
They're separating out based on motivation.
Re:Hactivists == cybercriminals (Score:2, Insightful)
Anyone stealing personal data is a "cybercriminal". Sounds like they are playing with words.
Not from the perspective of the larger companies/governments.
While the actual action is similiar enough the result is vastly different.
The main objective for a "cybercriminal" is to steal customer information. The end result is that the customer gets screwed over and the company gets some bad publicity that they have to deal with.
Hacktivists on the other hand tends to look for indications that the company/government does anything illegal. This causes damage that isn't as easily passed down on the taxpayer/customer.
I expect that we will see better security for servers and harder punishments for "cybercrime" soon.
Re:Hactivists == cybercriminals (Score:4, Insightful)
Activism is more visible (Score:5, Insightful)
When you are hacked by an activist, they will make sure that you and the rest of the world know about it. Criminals, on the other hand, try to be as subtle as possible. Some victims might not even realize that they have been breached, and even if they do it's much easier to cover up. I don't think activism surpasses crime, it's just much more visible.
Bullshit. (Score:1, Insightful)
"Hacktavists" are just a highly visible boogeyman. Useful for scaring white people that watch network news and the politicians that cull their votes.
Visible, but hardly a blip compared to the massive spam, fraud, phishing, trojan, and malware ops that the real blackhats run. These things are complex and deep and ever present, so they're useless for scaremongers.
Want a real data set that will turn up evidence of massive economic fraud? Get ahold of Verizon's billing data.
Re:Hactivists == cybercriminals (Score:5, Insightful)
As others have said, the distinction is motive.
There is also a distinction in the damages.
If I steal a million debit card numbers for greed, I'm going to try to cover my tracks and exploit the cards for profit. There will be tens of thousands of individuals who will suffer direct financial harm as I drain their bank accounts. Even those "made whole" by the banks will still suffer embarrassment. Their banks are also victims. Only when it is traced to the company I stole the data from do they realize they are a victim.
If I do it for lulz, like "The Joker" on Batman, there's no telling who will be the immediate victim. Will I publicize it to embarrass the banks? Will I order adult-novelty products on the credit cards and send them to the card-owners and watch the fallout on national TV? Who knows.
If I do it as an "activist" I'm probably only interested in hurting the company, not the cardholders. Yes, the cardholders will suffer collateral emotional damage and some will spend time or money trying to protect themselves in case I'm also motivated by greed, but the intended victim is the company I stole the data from.
Of course, I may be targeting a third party such as a security vendor by directly attacking its corporate customers, or I may attack a government by attacking those who support it. But in each case, the owners of the bank card numbers I steal aren't going to have their bank accounts drained. Unless of course I have a little greed or I'm careless and let the numbers fall into the hands of someone who is greedy.
Re:Crime is crime (Score:5, Insightful)
I think the point is that hacktivism occurs mostly because of unethical behavior of the target companies, not because they have generally weak security or valuable data. Therefore, companies can avoid being targets of hacktivism more by avoiding unethical behavior, rather than spending millions to beef up their security.
Easy to protect against (Score:5, Insightful)
Well, good thing then, that it's easy to protect yourself against hacktivists. Just stop being dicks.
Re:Welcome in the real world (Score:5, Insightful)
Most companies have coasted by with bad security practices, now they have to up their game. Boo f'n hoo.
CEOs tell us "sucks to be you, suck it up" when it comes to their monopolies. I say the same thing back at them. Actually employee decent programmer, engineers, admins, and managers. Quality > Quantity?!
Re:Well gee... (Score:5, Insightful)
We shouldn't support criminals just because they target people we don't like. Effectively that is saying that rights and protection should be applied only to those we favor in a given moment.
And in some of these cases, passwords, credit cards and personal data was leaked publicly. So the customers are the ones suffering more than companies like Verizon.
Re:And how are they not criminals? (Score:2, Insightful)
Easier definition:
Terrorist: Someone who doesn't agree with you, wants to go to war with you but lacks the funds for a big enough army to actually call it a war.
Criminal: Someone who does something against the interests of society but lacks the money to change the laws accordingly, or someone who does something against the interests of those that have the money to change the laws.
Re:Hactivists == cybercriminals (Score:4, Insightful)
But the motivation determines if it is a crime in the first place.
Kill someone with malice, got to prison, kill someone in self defense, no prob.
I don't think this article was talking about homicide.
What motivation would make it legal to hack a government or corporate system and stealing personal data?
Re:Verizon is credible???? (Score:5, Insightful)
Indeed... especially in this case.
Think about how the data was generated: the data comes from reported incidents of network compromise.
EVERY hacktivist compromise will be reported by the victim, as the hactivist group has already reported it and they have a responsibility to disclose such things.
I'd bet that most intrusions and data extractions conducted by other groups (organized crime, government special ops, industrial espionage) are never reported to Verizon, therefore they wouldn't show up in the statistics. For that matter, most of these intrusions likely go completely unnoticed. Considering we've just been finding out in the last year about intrusions that have been ongoing for TEN YEARS, who's to say how many like these are still in the "unreported" category?
Without all the rhetoric, Verizon's study is really saying that intrusions reported for political reasons are more highly reported than those that both the intruder and the victim have no desire to make public. Any other conclusions involve too much conjecture (on the same level as the RIAA losing billions to piracy) unless more data is provided.
hacktivists == cybercriminals (Score:5, Insightful)
They might be criminal, but they are NOT threat (Score:4, Insightful)
When downloading or uploading information or cracking copy protection can ruin your life worse than committing grand theft or murder, I consider that action immoral and unjust. And I will consider any corporation supporting & pushing this kind of legislation a valid target.
While I agree that unlawful implies criminal, lawful doesn't necessarily mean right, and unlawful doesn't necessarily mean wrong. These days the laws are broken mess, and even when they aren't only the rich can afford to defend themselves, rendering justice system broken.
--Coder
Re:Welcome in the real world (Score:5, Insightful)
The trend over the last 10 years in software development has been labor minimization, offshoring, "just meet the specs" mentality.
Now a lot of companies are getting bitten in the rear in return for the supposed "savings" they realized over the years. Think your $1500 a year software engineers in Bangalore are going to be able to handle this...? Communication is difficult with them even when you have well defined specs - let alone when the engineer needs to be aware of current events and think of unspecified scenarios themselves.
I think a lot of corporations are going to find out that IT staff is not dispensable in the way that, say, payroll staff became in the 1990s.