12.16.10

Hackers Create a Cybersecurity Gold Rush

At least one group is happy about the hacker attacks on Visa, MasterCard and Gawker. Brian Ries on how sites are swarming to security consultants—and why this new threat is here to say.

Time magazine may not even know it, but they dodged a bullet this week.

A whisper campaign in the online hacker community hinted at an attack on the venerable weekly’s website following its selection of Mark Zuckerberg as its "Person of the Year"—at the expense of hacker favorite Julian Assange, the founder of WikiLeaks.

Fortunately for Time, Twitter users affiliated with “Anonymous,” the group that brought down the websites of Visa and MasterCard after they cut off transfers to WikiLeaks, promptly shot down such talk as unnecessary censorship. "No [attack] on @ Time's website," one tweeted. "[Denying entry to the Time site] is no method to fight for freedom of speech. Especially not against press."

But that possibility, reinforced by both the WikiLeaks-driven Anonymous attacks and then the theft of a 1.5 million-user database from Gawker Media by a vigilante group known as Gnosis, has not been lost on the corporate world. McAfee, the giant Silicon Valley-based digital security company, has seen risk-assessment inquiries triple in the past few weeks, with at least half of that stemming solely from the antics of Anonymous.

"Experience tends to suggest that well-publicized security events [do] heighten interest,” says Herb Lin, chief scientist at the Computer Science and Telecommunications Board.

“How long that interest lasts is a different question entirely.”

It might last longer this time, if for no other reason than the attacks of the past few weeks seem different. The site takedowns are organized by increasingly powerful hacker gangs that have never met in person, but virtually collaborate to attack organizations that have done something they perceive as unjust. Moreover, these attacks are increasingly prominent in the press—these media-savvy groups make public retribution part of the mission—which only spurs more copycats.

“If hackers have the means and skills to launch a political attack, they often will.”

Jon Oltsik, a principal analyst at Enterprise Strategy Group, says that recent attacks reveal the existence of a delicate balance between politics, technology, and cybersecurity. "If your firm takes a position on anything, someone will oppose it," he says. “If they have the means and skills to launch a political attack, they often will.” The ease with which these gangs attack is enabled by the recent proliferation of open-source software that floods a targeted server with traffic. The more individuals who download the software, the faster a website’s host server will fail. This is why the WikiLeaks’ sympathizers were able to bring down such giants, like Visa, or MasterCard. The swarm was thousands-strong.

On the flip side, the hackers who actually break into servers—versus attack to knock them offline—do so based on their knowledge of existing vulnerabilities in a website’s code; valuable intel that is shared among the hacker community on private chat servers and mailing lists.

To play defense, the services security firms like McAfee sell are packaged under the wholesale label of “threat assessment.” When you purchase, what you get is a team of experts—some retired hackers, others not—who come in and poke around a website’s servers, trying to gauge the likelihood someone could break in its database or knock it offline.

They’re searching for potential vulnerabilities, unknown backdoors, and exploring the network’s susceptibility to social engineering—the hacks that get in by fooling employees for login information.

It’s challenging work, and for the most part is a form of passive defense—assessing a system before an attack is under way. It’s a bit like protecting a nation from terrorism. Security officials can rarely predict when a terrorist will slip through our borders with a bomb on his back, but they can increase security at the entrance points, and use intuition to predict the most susceptible attack locations.

While costly, hiring a security firm might make sense in the long run—in times of peace or war.

Depending on a website’s bottom line, a security breach can mean lost revenue, customers, or—for a blog—readers. Silverpop, for their part, lost a client in DeviantArt—a Web community for artists—following last week’s database breach. “Because we value the information that members give us,” a DeviantArt representative wrote in an email to customers, “we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.” And according to recent documents unveiled by The New York Times, cleaning up the damage after a hacker attack can be a costly endeavor. In fighting a worm in 2005, Google spent $500,000 on engineering resources alone. In 2004, the MyDoom virus caused an initial $100,000 in damage to the search giant’s servers. And then there’s the long tail— Gawker Media’s said to be hiring "horrendously expensive security consultants" to help keep their hackers from coming back in a few months to see if their security’s improved.

But an uptick isn’t registering across the board for all technological security firms. Kevin Beaver, a consultant at a smaller security company, hasn't personally seen much of an uptick in the threat assessment side of the business. He’s typically engaged only when a client has a pressing need on their own hands—or an actual attack.

His clients are too clever to get all Chicken Little on their security concerns, he believes, and often ignore all the press about the rising threat. "I know that most executives and business owners don't get too excited over security hype in the media," he says. "However, I'm single player in a relatively large field."

"The [traffic-swarming] attacks are a joke,” adds Ira Winkler, president at Internet Security Advisers Group.

“It is kind of like in the movie The Life of Brian, where everyone showed up at an event to make fun of the governor who couldn’t pronounce Rs,” not caring who they were targeting, as long as it sounded funny, he says. Except in this case, it’s the hackers. They haven’t a clue who is defending the servers they are after, only whether they’ll be able to pull off the attack.

Brian Ries is tech and social media editor at The Daily Beast. He lives in Brooklyn.