Year: 2014

For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion.

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012) by Parmy Olson

The Anonymous franchise really hit its stride between the years of 2010 and 2011. Hacktivism began earlier than that of course (1994 was the first documented case that I could find), but it did not strike fear into the hearts of CEOs, CSOs and government officials until that two year run.

It was the perfect storm of technology, disenfranchised young-ish people, “Internet Pranks as an Art Form” empowerment and the hacking culture that came together into a gigantic hairball of activity and energy that caused governments from around the world to double-clutch on some of their more severe policies and caused business leaders to actually fear the impact to their bottom line.

Trying to understand that phenomena is quite the task and Parmy Olson, in her 2012 book, “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency,” is an apt guide. Through unprecedented access to some of the core players on many of the more infamous operations, Olson is able to capture the essence of how the hacktivist movement got started in earnest, to describe the inevitable drama between competing factions and to provide insight into how this franchise operates. I think this will absolutely stay relevant; hacktivism is once again in the headlines, as we saw in the early November attacks on Asian government websites.

I call it a franchise because “Anonymous” is not a club. You do not pay dues. You do not register your name, e-mail account and twitter handle with anybody in power. There is no singular power. Anonymous is more of an idea than an organization. Hacktivists use that idea to get attention in the media and to get a reaction from the target they are pursuing.

For example, if I wanted to protest the US Senate’s inability to pass gun-control legislation this year (2013), I might write a scathing blog pointing out the dwarf-like physical characteristics of some of the key senators involved (if I was a law-abiding white-hat citizen). On the other hand, I might choose to go the other way and organize a Distributed Denial of Service (DDOS) attack against a few key senators’ web pages or compromise a senator’s email accounts and publish his or her messages on a public site somewhere (if I was willing to live on the lawless side wearing a black hat).

I could do those things, but nobody on the planet really knows who I am and all of those activities (white hat and black hat) would just register as part of the noise. But, if I wrap myself around the trappings of the Anonymous franchise – the imagery, the youtube videos with Matrix-like voiceovers and the Twitter public relations campaigns – I amplify the importance of my cause both to the general public and clueless media outlets. The Anonymous franchise has heft.. By claiming to be a leader in the group, regardless if I am or not, I get instant recognition and have all the assumed powers that the public thinks the group has. Genius!

How Anonymous Arrived

Ms. Olson walks the reader through the history of how this franchise was built and does a really good job explaining the culture. She does a good job walking through concepts such as 4Chan, troll bait, LOIC and SQL injection attacks. Along the way, she also scuttles a few of the Anonymous myths. The main one is that not all contributors are elite hackers. In fact, most are not. Many of the operation’s leaders are, for sure, and some of them are quite skilled. But most contributors that consider themselves part of the Anonymous movement are enthusiastic activists with a lot of Internet savvy. They can run circles around the average Joe in terms of Internet communication, but as Ms. Olson notes, not many have ever slung any real code.

Olson describes how the leaders of the more infamous operations (Chanology, Payback, Freedom Ops, etc) understood this and leveraged it. They treated these enthusiastic activists as trolls, in some kind of perverse recursive prank, and made them think they were more important than they really were. In the early days, leaders even provided the masses a tool, the Low Orbit Ion Cannon (LOIC), which allowed them to easily participate in a DDOS raid of choice. Of course, the developers of the LOIC did not initially protect the users from prying eyes like the FBI, and law enforcement did made many arrests. But the Anonymous PR machine kept churning; proclaiming the success of the hacktivist masses against evil governments and commercial empires.

The dirty secret though was that as the targets got bigger (PayPal, MasterCard, Visa), the effectiveness of the Low Orbit Ion Cannon, even with thousands of contributors, did not put a dent in the defenses of these targets. It was not until the leaders leveraged their own BotNets that these web sites were brought to their knees. Of course, that was not the message the PR machine generated. In order to completely leverage the Anonymous franchise and get the attention of the media and the intended targets, they had to proclaim that the damage was being done by the Anonymous masses. Olson calls this  “… a mirage of power and scale.”

At the end of the book, Olson lists a comprehensive timeline of significant Hacktivist events, from a group called the Zippies launched a DDoS attack on UK government websites in November 1994, to the coining of the hacktivism term in 1996 to Operation Payback in 2010 and the LulzSec 50-day hacking spree in 2011.

She also lists core LulzSec members and other anonymous supporters, and does a really good job explaining some of the technology used by Anonymous members, including Hashkiller.com,Gigaloader/JMeter, HideMyAss and the use of Second Life gaming worlds to launder money.

Conclusion:

This book is a must read for all cybersecurity professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. I would put this in my list of essential Cybersecurity books, especially for historical context.

[Source: Rick Howard]

can·on –  /kanən/ – noun

1. A group of literary works that are generally accepted as representing a field: “the durable canon of American short fiction” (William Styron).

2. A list of writings officially recognized as genuine.

3. The list of works considered to be permanently established as being of the highest quality:“Hopkins was firmly established in the canon of English poetry.”

For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. In my new role as Chief Security Officer of Palo Alto Networks, I have to stay visible and well-informed, and make sure I’m an evangelist for the company. To me, these are books no one in our field can do without.

To me, the Canon isn’t purely technical literature and includes both nonfiction and fiction. Books that are how-to-manuals for the inner workings of security protocols, coding practices, standard operating procedures and the like are important, but there are plenty of books in those categories that are covered by the various technical and security certification programs. And unless the book describes some timeless aspect of the community, it doesn’t really meet the definition.

What I am looking for in this list are books that make us human; books that not only tell us how something works but why. The Cybersecurity Canon should include books that explain how we got here and describe the people that drove the community down this path. These books can be novels if they capture the culture correctly and can illustrate and educate the general public about the true nature of cybersecurity. They need to illuminate our timeless thinking on different adversary motivations like crime, hacktivism, espionage and war. They also need to describe realistic hacking techniques and cyber operations.

I’ll be presenting on this topic at RSA 2014 in February, and at that time I’ll discuss my first candidates for inclusion into the Canon. Between now until then, Palo Alto Networks will post my discussions of each of these candidate books so that interested people can preview them before the presentation if they are so inclined and can decide for themselves if they belong in the Canon or not.

Check back later today for the first entry in my series. Perhaps you might like to take exception with my list and offer other books for consideration. I welcome the debate. This should be fun.

[Source:  Rick Howard]