OPINION: Are Anonymous Members Forged in the Crucible of IT Compliance?

By B.K. DeLongWith alleged Anonymous leadership such as Sabu and opponents such as th3j35t3r tweeting about their supposed shenanigans in Las Vegas, the question on everyone’s mind this week is whether Anonymous is truly walking the halls of this week’s Black Hat and DEFCON hacker conferences.  Some believe the answer to that question is almost certainly ‘yes’ but not for the reasons you might think – here’s my opinion based on several discussions I’ve had throughout the week.

By B.K. DeLong

BK DelongWith alleged Anonymous leadership such as Sabu and opponents such as th3j35t3r tweeting about their supposed shenanigans in Las Vegas, the question on everyone’s mind this week is whether Anonymous is truly walking the halls of this week’s Black Hat and DEFCON hacker conferences.  Some believe the answer to that question is almost certainly ‘yes’ but not for the reasons you might think – here’s my opinion based on several discussions I’ve had throughout the week.

Nobody knows for sure whether either of the two – or other members of the Anonymous upper echelon  – are in Vegas this week. However if people do know, they’re not talking. While there are some tweets, photos and taunting back and forth, anyone can claim to be posting from a particular location or forging it to look as such.

The bigger and more important question is how many disgruntled Fortune 500, Government, or Military security professionals wearing “Human” badges at DEFCON sympathize with the free-wheeling and pseudo-anarchic agenda that Anonymous has championed? Based on conversations with industry peers of all stripes at both conferences this week the answer is: quite a few. 

Why? It’s simple – most of the security professionals are tired of being hamstrung by C-level executives and frustrated that their employers are content to be only as secure as the auditor says they have to be. Who in the industry hasn’t heard senior management go so far as to say they’d be willing to take the “hits” from fines than pour dollars into compliance mandates whose utility is questionable?

The mindlessness of using regulatory compliance  as a information security ceiling hurts both the ego and sense of professional responsibility of practitioners. One might even go so far as to posit that some could choose to go the Anonymous route as a way to take matters into their own hands. 

Mind you, that’s not suggesting that otherwise law-abiding IT professionals are going to be loading up the Low Orbit Ion Canon DDoS tool on their corporate laptops anytime soon – there’s an ethical responsibility in taking on a job like this. But could insiders “participate” by anonymously sharing their knowledge of where the “bodies are buried” and the security weakness in corporate defenses can be found? Absolutely. In fact, law enforcement is alleging that such a scenario fed one of Anonymous’s noted hacks.

Might a peer be frustrated by the constraints of their job or their inability to convince their employer to invest in security go after what they believe to be some of the highest-value targets possible, or seek out the IP or PII that will make heads turn? Again: yes. 

The value of the latter gives ammo to almost any security professional with valuable assets at their organization – the honest ability to point to their own weaknesses and say “we could be next”. Two different scenarios of how industry peers might choose to eschew their ethics and throw their hat into the Anonymous ring of anarchy.

As we know, recent law enforcement raids against Anonymous and Lulz Security have had mixed results. Those arrested include a bevy of adolescents including the group’s 18 old spokesperson, a 19-year-old bot herder and an unnamed 16-year-old. Shown in its best light, Anonymous appears as an amorphous collective that keeps itself technically well-segmented off from each other. More cynically it looks like a something run by technically-savvy adults who are careful to make sure those who are less-so take the fall without being able to “out” them (purposefully or accidentally) if and when the less-skilled are arrested. 

Ironically, these kinds of raids only  fuel the anger and frustration of the Anti-Sec movement when law enforcement challenges the technical and security abilities of those they are going after by claiming they have arrested and charged high-level members. As it has with past cases of efforts against large groups and such specious claims, it often leads to larger and more frequent attacks – sometimes aimed at law enforcement itself. Hopefully they will remember and learn from those mistakes.

Being at Black Hat, the largest business-oriented threat and management event in the country (and likewise, DEFCON –  the largest “hacker” conference) one must muse whether if any of the above is true, how many of those amongst Anonymous walk the same hallways as the other “Humans” this week either speaking or learning. There are  differing opinions on whether such extreme criminal acts are the way to make things better for peers in the industry. If nothing else, the attacks by the Anti-Sec movement put everyone working in information security under a magnifying glass. Who hasn’t been tempted to contemplate extreme measures in an effort to raise a red flag about the need to protect critical corporate assets? 

As always, however, security “ends” often don’t justify the means. Seductive as the hacktivism of Anonymous and Lulz Security seem, there’s a reason those who wear the White and Gray have Red Teams, pen testing tools and consultants: they allow us to expose weakness without resorting to criminal activity, reckless destruction and public release of highly-valuable corporate assets.
Definitely discussion points for Black Hat, DEFCON and future cons beyond. 

Suggested articles

Discussion

  • Not_Anonymous on

    th3j35t3r an anon? i think not :/

  • JollyRoger on

    Anon...  Make a difference.  Make a statement without making a threat.  Don't hurt the employee while teaching the employer.  You want to be great?  You want to be heard?  You want to make a difference?  Do it with dignity, not with fear or hatred or malice.  Don't do it when the bottom 98% of a company pays the price.  Be right.  Be a "Robin Hood."  Dont be the self-appointed sheriff of Hackingham.

  • Anonymous on

    I doubt the truly skilled, high-echelon members of Anonymous will ever be caught.  Similarly, I have no doubt that huge numbers of Anonymous cheerleaders and coattail-riders will be busted.  In addition, I believe that Mr. DeLong's musings are very accurate.  Every industry has its share of disgruntled workers, and the IT security field is no exception.

    When HBGary took the hits square on the chin, my gut told me that someone within that organization was aware of the ethically-questionable conduct they were embarking on and saw Anonymous as the perfect foil to bring their illicit conduct out into the open.  The end result was like a whistleblower using an air raid siren.

    One thing is certain, these attacks will only go so long before Anonymous falls prey to capture...or worse, is made into a handpuppet for organized crime.

  • AlanMatthews on

    Compliance is a high water mark. Very useful for insurance companies. Doesn't mean the water won't exceed the mark next time. Don't be a weeny - corporations exist to benefit their shareholders not their IT staff.

  • Anonymous on

    Perhaps you can argue that point with Sony's C-level staff who decided to terminate some of their Security staff only to be hit with a 170m+ bill; I bet the stakeholders are equally pleased.

    IMO if the commany declines control recommendations, they accept the risk.

     

     

  • KaroakeNinja on

    Really, they are hacking defenses contractors. That is the money spot. Likely they are being manipulated by people who want in there. That gives them plausible deniability. All the BS politics on top of that... just a cover for those guys. The bad guys supply the skills and bugs, and the rest just follow along making themselves potential collateral damage. They think they served some BS political higher power, but in reality they were just serving much smarter and more serious people overseas.

    The bs politics is just that. Most people won't say this. It is derived, silly, an obvious excuse for general anti-social behavior. There is zero substance to it, and it is transparent to any adult with a modicrum of political savvy. That is, if they are not biased. (Plenty, obviously, have political savvy and are biased liars.)

    Most people won't say this: because it is so obvious and does not need to be said. It would be like taking a picture of poop and feeling you need to say, "Oh gross".

    But, sometimes you need such captions for those who are slow.

    The positive from all of this is simply that it does help companies secure themselves. So, that aspect is not anti-social. Ironically. But, these guys have caused enormous damage, there is no way around that.

    The worst, of course, so far has been publishing information about the private lives of police officers so as to make their families be in danger.

    Some of these people could be in IT Security, but more likely, not much skill there at all. You only need one or two solid hackers to do anything. So a few with skill. The rest are patsies, dupes. I am not sure whose pockets they are filling here. China? Russia? Somebody on the inside selling that data to an intel agency?

    Maybe there is no such conspiracy. But it would be obviously trivial to manipulate these groups. Just mouth the words and give them the "arms". They would go and be anyone's attack dog this way.

     

     

     

     

     

     

  • Anonymous on

    @KaroakeNinja

    "But it would be obviously trivial to manipulate these groups. Just mouth the words and give them the "arms". They would go and be anyone's attack dog this way."

    You'd imagine so, and once the "operation" gets underway, but Anonymous aren't some group of idiots, they're not about to just do what someone randomly suggests... If someone puts forward a good case or w/e and other people verify that you're not full of crap (that the company or whatever actually deserves (in anonymous' opinion)) then it'll get posted and bumped up and people will attack the company. And yes, the subset of those Anons who are able to do much more than DDoS is small enough for them to manipulate the result (by not partaking in the raid, sabotage isn't really possible on a large scale...), but the average users will still be able to attack the site if they want, or not if they don't...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.