Day: January 17, 2014

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Neuromancer (1984) by William Gibson

William Gibson’s landmark Neuromancer is a must-read for every cybersecurity professional, not because you will learn new insights into your craft, but because you will understand why this book was so influential to the cybersecurity zeitgeist back in the day.

Gibson invented and clarified the language that we are still using today ten years before it became mainstream. He coined the word “cyberspace,” launched the “cyberpunk” genre, pontificated about “the singularity,” guessed (correctly) that “hacktivism” would be a thing, and understood that we would need a form of ” search” long before any of us even knew how vital Google and similar services would become. You should have read this by now.

Gibson published Neuromancer in 1984 and subsequently received multiple book awards for his efforts, including The Nebula Award for Best Science Fiction Novel and The Philip K. Dick Award for Best Science Fiction Paperback. Among his accolades,

Gibson is credited with one of the best ever opening novel lines:

“The sky above the port was the color of television, tuned to a dead channel.”

Literary critics subsequently tagged this novel as the “quintessential” work in a new genre called cyberpunk. Gibson himself chafes a bit at that label, but it may be that label that got security geeks interested in the book in the first place.

Scholars categorize cyberpunk as stories written in a near-dystopian future where technology is advanced, governments have withdrawn in potency to be replaced by corporations, and man-machine interfaces and cyborg beings are the norm (think Blade Runner if you are having trouble getting your head around the concept). Sci-fi writers invented cyberpunk when they realized that there might be another path to the future besides the one advertised by Star Trek and Star Wars, one that is not as pristine and humanitarian as, say, Ender’s Game. Cyberpunk worlds always have some grit to them: sex, drugs, and rock and roll.

But I don’t think cyberpunk itself is the draw for security geeks. The draw, in my mind, is a combination of elements that is consistent in popular geek entertainment today.

Hackers and Cowboys

The main Neuromancer character is Case, a world-class hacker, referred to as a cowboy in the book, who has fallen from grace. The government caught him doing something stupid and, through surgery, made it impossible for him to ever connect to the Internet — “jack” into “cyberspace” — again.

The story opens with Case on his last leg, hustling the streets of Japan for drug and booze money, cigarettes and if he had anything left over, food. He is literally days away from expiring. Through a series of random meetings that the reader does not understand until midway through the book, Case gets a chance at redemption.

He ends up joining a misfit team: The Leader, Armitage (ex-military); The Assassin, Molly (a beautiful cyborg); The Techie, Finn (a prototypical scrounger); and The Mentalist, Peter (a psychopathic mind bender). Case completes the team as the resident cowboy. The leader seems to have unlimited funds at his disposal and pays to reverse the process that prevents Case from jacking in (and pays to have his kidneys amplified so that his body cannot process drugs either – bonus!). The reader is never really sure what the team’s ultimate objective is until close to the end of the story, but along the way we get plenty of Kung Fu between the assassin and every bad guy we meet, love-making between the hacker and the assassin, and a verbal description of what it means to hack that is eerily similar to how modern computer gamers play today.

What’s not to like? Why wouldn’t the cybersecurity geeks of the world love a story where the loser-hacker can win the girl, hack for a greater good, be critical to a super-ninja’s purpose, and ultimately be the hero in the story? The cyberpunk elements make the story fun, but the hacking-copulating-jujitsuing elements make the story soar, at least to a geek like me.

The story itself is really about the incipient moments before “the singularity,” that moment when an artificial intelligence, a software program, becomes sentient. You know what I am talking about. This is a standard sci-fi trope today probably best known in the Terminator movies when Skynet goes online and decides that humans are no longer needed. In Neuromancer, the singularity is still a relatively new sci-fi idea, and the reader discovers that the power behind the leader is really an artificial intelligence called Wintermute. Wintermute is a subprogram working for a larger artificial intelligence called Neuromancer.

The Tech

Gibson invents some new culture in this book too, and when I remember that he published it in 1984, I get chills thinking about how prescient he was. Two ideas come to mind. The first is a hacktivist group called the Moderns. Remember that in 1984, the Internet was little more than a white board diagram and some primitive university communications systems. Yet, Gibson had the vision to predict cyber hacktivists – which these days continue to be all over the news — and described them this way:

“Moderns: mercenaries, practical jokers, nihilistic technofetishists.”

If that is not the perfect description of Anonymous, I don’t know what is.

The second idea comes in the form of a personalized search engine Gibson calls the Hosaka. The Hosaka is basically an artificial intelligence that searches the Internet for whatever the user requires. This is not quite what Google does for us today, but it is very close.

Conclusion

I thoroughly enjoyed reading this book. It really is a must-read if you want to understand the cybersecurity culture of today, not only because it is one of the first cyberpunk novels, but also because it is ripping good story that discusses things that cybersecurity geeks like to talk about: kung fu, getting the girl, and making hacking sound fun and exciting. How cool is that?

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (2012) by Dawn M. Cappelli, Andrew P. Moore, and Randall F. Trzeciak

When the Edward Snowden case hit the press in summer 2013, I was working as the CISO of a mid-sized government contractor organization. At the time, my senior leadership rightly asked if our own insider threat program would have detected Snowden’s activities before he released classified information to the public. I had to admit that the honest answer was no. Because of Snowden’s system administrator position, he was a trusted employee (contractor). He had the keys to the city, or at least some of them.

We may have had better luck catching Bradley Manning. According to Bill Simpich at Reader Supported News (RSN), Manning released some 700,000 documents to the public. That volume of ex-filtrated documents may have been noticed by my automated monitoring system or would have been stopped by my preventative controls (not allowing access to the CD system on classified machines), but Snowden released only a handful of documents (with the promise of more later). My monitoring system would not have noticed that kind of precision, and because he was a system administrator, he most likely had permission to turn off my preventive controls that stopped USB use.

It was because of these developments that I picked up The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) by Dawn Cappelli, Andrew Moore, and Randall Trzeciak. I wanted to see if there was something else that could be done.

What is clear from reading the book is that there is no technical solution that truly mitigates insider threat risks, which is something many of my colleagues at Palo Alto Networks have also written about. Technology can aid in discovery – and in our case, can safely enable applications without slowing down business productivity. But the tech itself is only a part of an organization’s discovery process. For any insider threat program to be successful, leadership must coordinate across three lines of business activity: policy, training, and information technology (IT) discovery.

Book Organization

The CERT book itself is a bit odd. It is written in an academic style that is not as direct as other technical security books that I have come across. The authors scatter layers of the same information through the chapters. Specifically, they talk about the 16 mitigating controls in at least three locations at various levels of detail. Lists of Indicators of precursor behavior are all over the place and are not consistently presented. To me, the thing they do get right is that they are very explicit about what the risks are and what you can do to counter the risks.

There is good information here. Cappelli and her co-authors recommend specific administrative, technical, and physical controls that they have found useful in detecting and mitigating the insider threat. What’s also helpful is that they define three types of insider threats:

• Insider IT sabotage: Incidents in which the insider uses IT to direct specific harm at an organization or an individual.
• Insider fraud: Incidents in which an insider uses IT for the unauthorized modification, addition, or deletion of an organization’s data (not programs or systems) for personal gain, or the IT theft of information that leads to an identity crime.
• Insider theft of intellectual property: Incidents in which an insider uses IT to steal proprietary information from an organization.

They make a weak case that certain mitigations, controls and certain precursor behavior go with specific types of insider threats, but they do not show that the data is conclusive. Nevertheless, insider threat programs must look for all potential precursor behavior and apply the correct mitigation control against it.

16 Mitigation Practices

The authors say it right away: “If you learn only one thing from this book, let it be this: Insider threats cannot be prevented and detected with technology.”

There is no magic bullet here. The mitigations this book describes are the same mitigations that any group of CISOs standing around a white board for an hour might come up with. What makes the book valuable is that it is backed up with real data. After analyzing some 700 cases, the authors can make reasonable assertions about what might work. The epiphany for me was that the bulk of the recommendations do not fall within the technical realm. More than half fall into the administrative side, which may be why detecting the insider threat is so hard.

For any insider threat program to work, it must rely on humans communicating clearly across business boundaries, from the executive leadership team down to the employee users regarding policy, from the internal business units to the external trusted business partners about acceptable use, from the managers observing employee behavior and reporting anomalies to human resources, and from the IT department gathering evidence for leadership to make a decision. My colleague, Danelle Au, recently discussed why CISOs have to be the executives that ensure these communications are happening cross-functionally on a regular basis.

The authors describe 16 strategic goals to help prevent an insider threat attack and suggest a number of tactical controls for an organization to put in place to make that strategic goal successful. These include everything from considering insiders and business partners when performing enterprise-wide risk assessments, to a clearly documented and consistently enforced set of policies and controls.

I’ve also seen success in techniques such as periodic security awareness training for all employees, anticipating and managing negative workplace issues, and many more suggested by the authors.

What To Focus On

Assessing my organization’s ability to detect and prevent insider threat activity similar to actions performed by Snowden and Manning was sobering. With the controls I had in place in my previous role, I most likely would not have been successful. The CERT Guide book outlines specific mitigating controls to consider for preventing this kind of activity in the future.

Although the book is frustratingly academic, the specific assertions about what to put in place are backed by more than 700 case studies. It is the authoritative source about what works and what does not for this threat. What I learned from reading this book is that there is no technical solution that truly mitigates insider threat risks. For any insider threat program to be successful, leadership must coordinate across the entire business in terms of policy, training and implementation to ensure four tactical goals:

1. Train employees and managers to watch for the signs of potential insider threat behavior.
2. Provide mechanisms across the organization to report and review the activity.
3. Establish and maintain the apparatus to monitor for potential abuse.
4. Mitigate the risk before any damage is done.

The key to the entire program is the human element, and that is why defending against the insider threat is hard.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll

If you are a cybersecurity professional, you should have read this by now. More than 20 years after it was published, it still has something of value to say on persistent cybersecurity problems like information sharing, privacy versus security, cyber espionage and the intelligence dilemma. Rereading it after 20 years, I was pleasantly surprised to learn how pertinent that story still is. And even if you are not a cybersecurity professional, you will still get a kick out of this book. It reads like a spy novel, and the main characters are quirky, smart, and delightful.

Looking Back

The Cuckoo’s Egg is my first love. Clifford Stoll published it in 1989, and the first time I read it, I devoured it over a weekend when I should have been writing my grad school thesis. It was my introduction to the security community and the idea that somebody had to protect these new-fangled gadgets called computers. Back in those days, authors put their email addresses in their books, and when I finished reading it, I sent Mr. Stoll a note explaining how much I enjoyed his book. He answered immediately and that forever made me a fan. But besides being a window back through time to the beginning of our modern Internet age, Stoll’s book highlights many of the security problems that still plague us today.

The story itself reads like an Alfred Hitchcock movie. Joe Average-Man — in this case, Stoll as a hippie-type systems administrator keeping the computers running at the Lawrence Berkeley National Laboratory just outside San Francisco — is in the right place at the wrong time. Like Cary Grant and Jimmy Stewart before him, Stoll is minding his own business when he stumbles upon a bit of a mystery that, when it all plays out, is much larger than he is. By tracking down a miniscule computer-accounting error, Stoll unraveled an outsourced, Russian-sponsored, international cyber-espionage ring that leveraged the Berkeley computers to break into US military and government systems across the United States.

The book documents Stoll’s journey as he tries to get help from the US and German governments to do something about this serious threat that nobody wants to own. As the story unfolds, the reader also gets a fascinating glimpse at how the Internet looked just before it exploded into the commercial, informational and cultural juggernaut that it has become today.

The interesting dichotomy at play in the book though is how Stoll deals with government authorities. In the book, he describes himself as a “mixed-bag of new-left, harmless non-ideology,” yet he routinely called, cajoled, and coordinated leaders and administrators in the NSA, the CIA, the FBI, and other government and military organizations–bastions of the near and far right. How Stoll gets his head around those two philosophies is fun to read.

It is these interactions with the government that Stoll runs squarely into one of those persistent problems that we still have in the security community today, and one we still talk about at each and every cybersecurity conference I attend.

The government does not like to share.

Stoll consistently ran into government bureaucracy: human-government vacuum cleaners who were eager to take any and all information that Stoll had in regard to his investigation but who were also unwilling to share anything that they knew in return. To be fair, the US government today is getting better at this information-sharing thing, but leaders are a long way from implementing a free-flowing information exchange. I am not sure it will ever get there. And as we’ve been discussing for months now here at Palo Alto Networks, what we’ve learned about what the government will share versus what data they will collect is going to continue to be a source of hand-wringing and also a catalyst for the increased use of techniques such as SSL/encryption.

There’s also the second persistent problem. As Stoll is wrapping up the book, he concludes, “After sliding down this Alice-in-Wonderland hole, I find the political left and right reconciled in their mutual dependency on computers. The right sees computer security as necessary to protect national secrets; my leftie friends worry about an invasion of their privacy.”

If that is not the perfect summation of the fallout from the Edward Snowden investigation, I don’t know what is. The Snowden case is just the last one in a series of privacy-versus-security trade-off debates that the United States and other countries have made in the past twenty years. AsBruce Schneier points out, this is a false argument: “The debate isn’t security versus privacy. It’s liberty versus control.”

He and other pundits highlight the fact that this is not an either-or decision. You can have security and privacy at the same time, but you have to work for it. In this book, Stoll was the first one I can remember who raised the issue. He struggled with it back then as we are all doing today.

The third persistent problem is the cyber espionage threat. The commercial world only really became aware of the issue when the Chinese government compromised Google at the end of 2009. The US military had been dealing with the Chinese cyber espionage threat, back then known as TITAN RAIN, for at least the decade before that. But Stoll claims that his bookdescribes the first public case where spies used computers to conduct espionage, this time sponsored by the Russians. The events in The Cuckoo’s Egg started happening in August 1986, almost 15 years before TITAN RAIN, and some of the government characters that Stoll deals with in the book hint that they know about other nonpublic espionage activity that happened earlier than that. The point is that the cyber espionage threat has been around for some 30 years and shows no sign of going away any time soon.

The fourth and final persistent problem is really not a cyber problem at all but an intelligence discipline problem. Throughout the book, Stoll struggles with the idea of whether or not to publish his findings. He describes the problem like this:

“If you describe how to make a pipe bomb, the next kid that finds some charcoal and saltpeter will become a terrorist. Yet if you suppress the information, people won’t know the danger.”

That is the classic intelligence dilemma. It goes directly to the Snowden issue today wherein the lefties are concerned about privacy and want transparency for all security matters. The righties value security over privacy and worry that transparency will give too much information away to the bad guys. In my heart, I think there is some middle ground that could be reached. Since 9/11, the United States has swung in the direction of security over transparency. I do not see that changing anytime soon. Stoll definitely comes down on the side of transparency though, but like I said, he is a self-described “mixed-bag of new-left, harmless non-ideology.”

A Side Note

On 3 November 1988, 34 minutes after midnight and almost a year after Stoll concluded his forensics investigation on the Russian-sponsored cyber espionage ring, Robert Morris Jr. brought the Internet to its knees. He launched the first ever Internet worm, and for at least some days after, the Internet ceased to function as UNIX wizards of all stripes worked to eradicate the worm from their systems. Aside from the coincidental timing of the worm, the reason this is significant to this book is that Robert Morris’ father, Bob Morris Sr., was Stoll’s contact at the NSA during the investigation. He was one of those human vacuum cleaners taking in information but not giving any out. By all accounts, Bob Morris Sr. was a computer wizard in his own right and I have often speculated about how much his son picked up at the dinner table from his dad about the theoretical ways one might attack the Internet.

The Tech

The egg in The Cuckoo’s Egg title refers to how the hacker group compromised many of its victims. In turns out that the real-life cuckoo bird does not lay its eggs in its own nest. Instead, she waits for any kind of other bird to leave its nest unattended. The mother cuckoo then sneaks in, lays her egg in the unoccupied nest, and sneaks out, leaving her egg to be hatched by another mother. Similar to the cuckoo bird, Stoll’s hackers took advantage of a security vulnerability in the powerful and extensible GNU EMACs text-editor system that Berkeley had installed on all of its UNIX machines. As Stoll said, “The survival of cuckoo chicks depends on the ignorance of other species.”

The spy ring spent a lot of time trying to take over regular user accounts so that they could log in as those users and review the system without causing alarm. In one instant, after becoming a system administrator with the EMACs attack, one hacker opened up the system’s password file. He still did not know what the passwords were to all the users on the system because they were encrypted. Instead of trying to break them, he just erased one of them. He picked a specific user and erased the user’s password. When he logged in as that user later, the system would grant access since there was no password guarding the account.

After a while, the hacker started downloading the entire password file to his home computer. Stoll later discovered that the hacker executed a brilliant new attack. He encrypted every word in the dictionary with the same algorithm that encrypted passwords and compared the encrypted passwords in the downloaded password file with the encrypted dictionary words. If he found any that matched, he could now log in as a legitimate user. Brute-force dictionary attacks are standard today, but back then, this was a new idea.

Decades Later

I can’t tell you how pleased I am that The Cuckoo’s Egg still holds up after 20 years. Being my first love and all, the old girl has aged quite well. Instead of playing Jimmy Stewart or Cary Grant in an old black-and-white favorite movie, Stoll fits quite nicely in a modern setting. The book still has something of value to say on persistent cyber security problems like information sharing, privacy versus security or liberty versus control,cyber espionage, and the intelligence dilemma. This book is part of the canon for the cyber security professional. You should have read this by now.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Cryptonomicon (1999) by Neal Stephenson

I said during the introduction to this series that I wouldn’t focus purely on technical literature, or even just nonfiction, for that matter. To me, Cryptonomicon is the quintessential hacker novel. The author, Neal Stephenson, describes a story that is set around the intersection between the discovery of world-changing math insights and the incipient designs of our computer science founding fathers.

Stephenson delights in explaining how all of these things go together. His collection of fictional and nonfictional characters orbits each other across a thousand pages and propels the reader through dual timelines of World War II and the dot-com startup decade of the 1990s.

The result is a multigenerational treasure hunt worthy of an Indiana Jones adventure, but unlike Indiana Jones, this is not a light read. It is dense with ideas. You do not skim through this looking for the good parts, but if you take the time to embrace the journey, you will not be disappointed. You will be fed cybersecurity history, rollicking adventure, heartbreaking tragedy, the pleasures and perils of a multigenerational family, and the awkwardness of several geek love stories all told from the hacker perspective. There is something for everyone here, and you owe yourself the pleasure of finding your favorite part. It deserves a spot in the canon.

Genuine Passion

When I describe Cryptonomicon as the best hacker novel I’ve ever read, I use the word “hacker” from the old-school definition – meaning, not computer trolls who spend their time breaking into systems for fun and profit but technological wizards who have a genuine passion for learning about how things work and making the world a better place with that knowledge.

I admit it: I am a fanboy of Stephenson. He has written several of my favorite hacker novels over the last two decades, including Snow Crash, The Baroque Cycle and Reamde. But he uses Cryptonomicon as his personal petri dish to explore some wide-ranging ideas. He touches on everything from the impact of Allied code breaking during World War II, to the importance of Dungeons & Dragons to modern-day geeks, to the jaw-dropping complexities of twentieth-century banking, to the necessity and procedures for getting the correct ratio of milk to Cap’n Crunch kernels in your morning cereal, to the horrors experienced by soldiers and civilians in the Philippines during WWII, to the significance of cryptological systems in our state-of-the-art world, to the excitement of a present-day treasure hunt, and, most importantly, to the beauty of family ties across generations.

As you might expect, this is a dense read. One fellow fan and author, Charles Yu, describes the book this way: “A copy of Cryptonomicon has more information per unit volume than any other object in this universe. Any place that a copy of the book exists is, at that moment, the most information-rich region of space-time in the universe.”

You get the idea. It is not a novel you are going to get through in a weekend. But one of Stephenson’s great gifts is his ability to juggle many seemingly unrelated and interesting characters within a story and then surprise the reader about how they are all connected. He crafts four main narrative arcs in Cryptonomicon and uses a parade of major and minor characters that intersect at key moments to propel the story. Three of the arcs happen during WWII, and the fourth happens during the Internet boom of the 1990s. Much more is woven throughout, and the word cryptonomicon itself refers to a collection of code-breaking techniques that one character inherits and develops throughout the story.

Why It’s In

Cryptonomicon is unique in that it qualifies in two different categories: “books for important historical context” and “novels that don’t exaggerate the genre.” For historical context, Stephenson describes a story that is set around the intersection between the discovery of world-changing math insights and the incipient designs of our computer science founding fathers. That intersection is ground zero for my chosen profession—cybersecurity—and the hacks that are described are interesting and well within the realm of “the possible.”

But with all of that, Cryptonomicon is not an easy, breezy read. It is packed with ideas. Savor the journey though, and find your favorite part.

[Source: Rick Howard]

For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion.

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012) by Parmy Olson

The Anonymous franchise really hit its stride between the years of 2010 and 2011. Hacktivism began earlier than that of course (1994 was the first documented case that I could find), but it did not strike fear into the hearts of CEOs, CSOs and government officials until that two year run.

It was the perfect storm of technology, disenfranchised young-ish people, “Internet Pranks as an Art Form” empowerment and the hacking culture that came together into a gigantic hairball of activity and energy that caused governments from around the world to double-clutch on some of their more severe policies and caused business leaders to actually fear the impact to their bottom line.

Trying to understand that phenomena is quite the task and Parmy Olson, in her 2012 book, “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency,” is an apt guide. Through unprecedented access to some of the core players on many of the more infamous operations, Olson is able to capture the essence of how the hacktivist movement got started in earnest, to describe the inevitable drama between competing factions and to provide insight into how this franchise operates. I think this will absolutely stay relevant; hacktivism is once again in the headlines, as we saw in the early November attacks on Asian government websites.

I call it a franchise because “Anonymous” is not a club. You do not pay dues. You do not register your name, e-mail account and twitter handle with anybody in power. There is no singular power. Anonymous is more of an idea than an organization. Hacktivists use that idea to get attention in the media and to get a reaction from the target they are pursuing.

For example, if I wanted to protest the US Senate’s inability to pass gun-control legislation this year (2013), I might write a scathing blog pointing out the dwarf-like physical characteristics of some of the key senators involved (if I was a law-abiding white-hat citizen). On the other hand, I might choose to go the other way and organize a Distributed Denial of Service (DDOS) attack against a few key senators’ web pages or compromise a senator’s email accounts and publish his or her messages on a public site somewhere (if I was willing to live on the lawless side wearing a black hat).

I could do those things, but nobody on the planet really knows who I am and all of those activities (white hat and black hat) would just register as part of the noise. But, if I wrap myself around the trappings of the Anonymous franchise – the imagery, the youtube videos with Matrix-like voiceovers and the Twitter public relations campaigns – I amplify the importance of my cause both to the general public and clueless media outlets. The Anonymous franchise has heft.. By claiming to be a leader in the group, regardless if I am or not, I get instant recognition and have all the assumed powers that the public thinks the group has. Genius!

How Anonymous Arrived

Ms. Olson walks the reader through the history of how this franchise was built and does a really good job explaining the culture. She does a good job walking through concepts such as 4Chan, troll bait, LOIC and SQL injection attacks. Along the way, she also scuttles a few of the Anonymous myths. The main one is that not all contributors are elite hackers. In fact, most are not. Many of the operation’s leaders are, for sure, and some of them are quite skilled. But most contributors that consider themselves part of the Anonymous movement are enthusiastic activists with a lot of Internet savvy. They can run circles around the average Joe in terms of Internet communication, but as Ms. Olson notes, not many have ever slung any real code.

Olson describes how the leaders of the more infamous operations (Chanology, Payback, Freedom Ops, etc) understood this and leveraged it. They treated these enthusiastic activists as trolls, in some kind of perverse recursive prank, and made them think they were more important than they really were. In the early days, leaders even provided the masses a tool, the Low Orbit Ion Cannon (LOIC), which allowed them to easily participate in a DDOS raid of choice. Of course, the developers of the LOIC did not initially protect the users from prying eyes like the FBI, and law enforcement did made many arrests. But the Anonymous PR machine kept churning; proclaiming the success of the hacktivist masses against evil governments and commercial empires.

The dirty secret though was that as the targets got bigger (PayPal, MasterCard, Visa), the effectiveness of the Low Orbit Ion Cannon, even with thousands of contributors, did not put a dent in the defenses of these targets. It was not until the leaders leveraged their own BotNets that these web sites were brought to their knees. Of course, that was not the message the PR machine generated. In order to completely leverage the Anonymous franchise and get the attention of the media and the intended targets, they had to proclaim that the damage was being done by the Anonymous masses. Olson calls this  “… a mirage of power and scale.”

At the end of the book, Olson lists a comprehensive timeline of significant Hacktivist events, from a group called the Zippies launched a DDoS attack on UK government websites in November 1994, to the coining of the hacktivism term in 1996 to Operation Payback in 2010 and the LulzSec 50-day hacking spree in 2011.

She also lists core LulzSec members and other anonymous supporters, and does a really good job explaining some of the technology used by Anonymous members, including Hashkiller.com,Gigaloader/JMeter, HideMyAss and the use of Second Life gaming worlds to launder money.

Conclusion:

This book is a must read for all cybersecurity professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. I would put this in my list of essential Cybersecurity books, especially for historical context.

[Source: Rick Howard]