OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?

By B.K. DeLongWith alleged Anonymous leadership such as Sabu and opponents such as th3j35t3r tweeting about their supposed shenanigans in Las Vegas, the question on everyone’s mind this week is whether Anonymous is truly walking the halls of this week’s Black Hat and DEFCON hacker conferences.  Some believe the answer to that question is almost certainly ‘yes’ but not for the reasons you might think – here’s my opinion based on several discussions I’ve had throughout the week.

By B.K. DeLong

BK DelongWith alleged Anonymous leadership such as Sabu and opponents such as th3j35t3r tweeting about their supposed shenanigans in Las Vegas, the question on everyone’s mind this week is whether Anonymous is truly walking the halls of this week’s Black Hat and DEFCON hacker conferences.  Some believe the answer to that question is almost certainly ‘yes’ but not for the reasons you might think – here’s my opinion based on several discussions I’ve had throughout the week.

Nobody knows for sure whether either of the two – or other members of the Anonymous upper echelon  – are in Vegas this week. However if people do know, they’re not talking. While there are some tweets, photos and taunting back and forth, anyone can claim to be posting from a particular location or forging it to look as such.

The bigger and more important question is how many disgruntled Fortune 500, Government, or Military security professionals wearing “Human” badges at DEFCON sympathize with the free-wheeling and pseudo-anarchic agenda that Anonymous has championed? Based on conversations with industry peers of all stripes at both conferences this week the answer is: quite a few. 

Why? It’s simple – most of the security professionals are tired of being hamstrung by C-level executives and frustrated that their employers are content to be only as secure as the auditor says they have to be. Who in the industry hasn’t heard senior management go so far as to say they’d be willing to take the “hits” from fines than pour dollars into compliance mandates whose utility is questionable?

The mindlessness of using regulatory compliance  as a information security ceiling hurts both the ego and sense of professional responsibility of practitioners. One might even go so far as to posit that some could choose to go the Anonymous route as a way to take matters into their own hands. 

Mind you, that’s not suggesting that otherwise law-abiding IT professionals are going to be loading up the Low Orbit Ion Canon DDoS tool on their corporate laptops anytime soon – there’s an ethical responsibility in taking on a job like this. But could insiders “participate” by anonymously sharing their knowledge of where the “bodies are buried” and the security weakness in corporate defenses can be found? Absolutely. In fact, law enforcement is alleging that such a scenario fed one of Anonymous’s noted hacks.

Might a peer be frustrated by the constraints of their job or their inability to convince their employer to invest in security go after what they believe to be some of the highest-value targets possible, or seek out the IP or PII that will make heads turn? Again: yes. 

The value of the latter gives ammo to almost any security professional with valuable assets at their organization – the honest ability to point to their own weaknesses and say “we could be next”. Two different scenarios of how industry peers might choose to eschew their ethics and throw their hat into the Anonymous ring of anarchy.

As we know, recent law enforcement raids against Anonymous and Lulz Security have had mixed results. Those arrested include a bevy of adolescents including the group’s 18 old spokesperson, a 19-year-old bot herder and an unnamed 16-year-old. Shown in its best light, Anonymous appears as an amorphous collective that keeps itself technically well-segmented off from each other. More cynically it looks like a something run by technically-savvy adults who are careful to make sure those who are less-so take the fall without being able to “out” them (purposefully or accidentally) if and when the less-skilled are arrested. 

Ironically, these kinds of raids only  fuel the anger and frustration of the Anti-Sec movement when law enforcement challenges the technical and security abilities of those they are going after by claiming they have arrested and charged high-level members. As it has with past cases of efforts against large groups and such specious claims, it often leads to larger and more frequent attacks – sometimes aimed at law enforcement itself. Hopefully they will remember and learn from those mistakes.

Being at Black Hat, the largest business-oriented threat and management event in the country (and likewise, DEFCON –  the largest “hacker” conference) one must muse whether if any of the above is true, how many of those amongst Anonymous walk the same hallways as the other “Humans” this week either speaking or learning. There are  differing opinions on whether such extreme criminal acts are the way to make things better for peers in the industry. If nothing else, the attacks by the Anti-Sec movement put everyone working in information security under a magnifying glass. Who hasn’t been tempted to contemplate extreme measures in an effort to raise a red flag about the need to protect critical corporate assets? 

As always, however, security “ends” often don’t justify the means. Seductive as the hacktivism of Anonymous and Lulz Security seem, there’s a reason those who wear the White and Gray have Red Teams, pen testing tools and consultants: they allow us to expose weakness without resorting to criminal activity, reckless destruction and public release of highly-valuable corporate assets.
Definitely discussion points for Black Hat, DEFCON and future cons beyond. 

Suggested articles