It’s cute when social media is used to create a flash mob where hundreds of people, in one instance, gathered in New York City dressed as elves in 2009. It’s potentially menacing, though, when the same organizing principle of social media is used to bring down Web sites. IT security expert Hugh Thompson says enterprises need to protect themselves from what is now called “hacktivism” because they never know when they are going to somehow get on the wrong side of people who know how to attack them in cyberspace.
Thompson, an adjunct professor of computer security at Columbia University and program committee chair for RSA Conferences, discussed new security risks in a Web cast Wednesday, hosted by RSA, which brings its annual security convention to San Francisco next month. As you’ll recall, WikiLeaks.org last fall obtained 250,000 documents of confidential U.S. State Department cables and leaked hundreds of them online and to various news organizations. In response, companies that process donation payments to WikiLeaks, such as Master Card, Visa and PayPal, blocked further payments to WikiLeaks. That, in turn, prompted a group of WikiLeaks supporters called Anonymous to reach out to other supporters online to allow their computers to be used to launch distributed denial of service attacks against those and other sites.
Anonymous, then, used the same approach as the organizers of a flash mob of elves in New York City in 2009, or the 10th annual No Pants Day a few weeks ago, in which 3,500 New Yorkers road the subways without wearing pants. “What it did was unite a group of people who had a shared belief and moved them into action,” said Thompson.
In the context of Anonymous, though, “This is an incredibly scary trend in information security,” he continued. “What it’s done is open the door to people who are disenchanted or upset with a particular group and gives them a means of expression that is very harmful.”
However, there is some debate about how harmful the Anonymous attacks really were. The financial sites were taken down, but only briefly and the hackers didn’t penetrate the actual transaction processing systems of those companies. Nonetheless, WikiLeaks shows the power of social media to be used for ill, regardless of your political feelings about whether WikiLeaks is a hero or villain.
Thompson says companies will now have to be mindful of not just what kind of firewall, intrusion detection, anti-virus and other security systems they have in place. “Now a new security parameter is going to be what the public perception of the company is,” he said. For example, it would not have been out of the realm of possibility for a cyber attack to be launched against BP in the wake of public criticism of their oil spill in the Gulf of Mexico last year.
Thompson also spoke about the potential for attacks on cloud service providers and the extent to which companies moving to the cloud need to specify security mandates in their service level agreements. I’ll talk about that and other security issues ahead in 2011 in my next post.