Are Rising Corporate Cyber Attacks a Conspiracy?
The hacker world has been a busy one lately.
The blend of high-profile cyber intrusions and denial of service attacks, mixed with vague anonymous threats delivered by mechanized voices and curiously timed offline periods for major corporations, have prompted some conspiracy theorists to wonder — Is there a hacker movement underway to undermine big business and/or the economy?
The good news is that while there are certainly some anti-business forces in the hacking world, groups like Anonymous and its many offshoots and imitators lack the focus to organize a sustained attack on the corporate world at large. Unfortunately, that doesn't mean there's going to be any sort of slowdown on these attacks anytime soon. In fact, things may get worse before they get better.
"What you're seeing is that hackers are responding to the considerable amount of media attention being given to the hacking issue," said Hemu Nigam, founder of SSP Blue, an Internet security consultant business and former VP of Internet enforcement at the MPAA. "More hackers want to attack [companies] to see if they make the press. It's a vicious cycle and the only way to stop it is to focus on identifying the vulnerabilities and closing the gaps."
The hacks of late have been of especially high profile. What is believed to have been a denial of service attack Tuesday took down MSNBC and NBC Sports. (Update: On Thursday MSNBC.com indicated that it does not believe the incident was an attack, although the cause remains under investigation). MSNBC is owned by NBCUniversal and Microsoft. NBC Sports, like CNBC.com, is owned by NBCUniversal, which is owned by Comcast.
And the Twitter feeds of both Fox News and NBC News have been compromised recently, with the hackers publishing false alerts of a terror attack on the 10th anniversary of 9/11 and of the assassination of President Obama on July 4.
They're not limited to companies. Personal information of JPMorgan CEO Jamie Dimon and Burger King CEO Bernardo Hees was posted online last week. And they're not limited to the U.S. Japan's Mitsubishi Heavy Industries was hacked last month at factories that build submarines and missiles and make components for nuclear power plants.
The proliferation of attacks, though, is making many people leap to the assumption that there are nefarious reasons for any corporate Web outage. For the past several days, Bank of America has had several disruptions to its homepage.
The problems, which include delays and difficulty in accessing online banking systems, started a day after the company announced plans to charge a $5 monthly feefor many account holders using their debit cards.
Bank of America, though, has repeatedly insisted it hasn't been hacked or faced any security issues. At the same time, it hasn't given a reason for the outages, which has fueled the rumors. (The bank subsequently blamed a software upgrade).
This sort of paranoia among consumers is normal, Nigam said, but the fact is outages happen all the time, and hackers are rarely to blame.
"A sense of fear is developing in the consumer community," he said. "Any time a system goes down, people will assume it's because of hacking — and the majority of times, that's not why. It could be many, many, many other reasons. It could be upgrades. It could be a server issue. It could be human error."
The biggest name in the hacking world is Anonymous. This loosely organized group got its start on 4chan, the Internet’s most infamous imageboard, specifically its sometimes gritty "/b/" subforum. The founder of that site, though, argues that while the site (and the group) have become notorious for their exploits, there's a value in hiding behind that wall of anonymity.
"One of the things that 4Chan does that’s really special is the way people come together to collaborate en masse," said Christopher Poole at South by Southwest this year. "It’s the process at which you arrive at the product that is fascinating. … Anonymity is authenticity. It allows you to share in a completely unvarnished, raw way. … The cost of failure is really high when you’re contributing as yourself."
That anonymity leads to plenty of confusion, though — even among members. Since anyone can claim to be a member and speak on behalf of the group, it's hard to know what threats to take seriously. The most recent example of this is the threat that appeared Tuesday to "erase" the New York Stock Exchange from the Internet. One day later, though, another person claiming to speak for the group denied the plan was real.
Anonymous' communications issues are a more recent trend, though. In fact, the group has achieved a level of notoriety that has upped the stakes in the hacking world. Earlier this year, a splinter group calling itself LulzSec hacked Sony Pictures , posting reams of personal information from customers in an attempt to gain 'street cred' in the hacking world. (Many alleged members of that group have since been arrested.)
It was, in fact, the high-profile attacks on Sony's PlayStation Network (which Anonymous is suspected of playing a part in – perhaps unwittingly) that kicked off this year's flood of high-profile cyber crimes.
"Hackers are very motivated by seeing people talking about the fact that they've successfully broken into a system," says Nigam. "Inside their community they might be sharing who did what — and in that community they're excited about what's going on."
To date, the attacks have largely been annoyances rather than catastrophic. The release of customer personal data is a public relations blow to any company — and an annoyance to those customers who have to install alerts on their credit reports — but rarely fatal. Similarly, denial of service attacks cost companies money in terms of resources required to fix the problem and downtime, but from a corporate standpoint, they're more brush fires than raging infernos.
The attacks do, however, underscore weaknesses in the security systems of big businesses that have been ignored for too long.
"If there's a message here to the private sector, it's hunker down and fix those vulnerabilities - and fix them before the hackers find them," Nigam said. "Your business's revenue is at risk."