The cyber battleground is already littered with direct hits as well as a landscape of collateral damage sustained by innocent civilians caught in the wrong place at the wrong time. The Paris attacks have certainly left most of the civilized world in shock, so it’s little wonder people are now asking what they can do to help: Anonymous is now cashing in on this impetus, declaring cyberwar on ISIS and asking for assistance from anyone who wants to try their hand at hacking.
So, what’s really going on in cyberspace and is there anything you can do that keeps you on the right side of the law and also makes sure you stay safe?
Battle Plans
Just last week, Anonymous published the names and addresses of a bunch of alleged ISIS recruiters and successfully took down over 5,500 Twitter accounts connected to their terrorist organisation. The hacktivists then posted a “call to arms,” asking for volunteers to assist in their vigilante efforts to wipe ISIS off the Internet. Their hacking guidelines and lists of targets, suspended Twitter accounts and links to horrible ISIS media, have all been posted on Pastebin and do make for interesting reading. Be warned though, some of the video material that they are targeting is pretty horrible and it’s impossible to un-see stuff you might decide to sit though. Trust me on that one…
However, while Anonymous’s anti-terror offensive ramps up, dubbed #OpISIS and OpParis, ISIS has already hit back with a massive, coordinated Distributed Denial of Service (DDoS) attack against a number of targets in the United Kingdom, as well as bombarding Anonymous’s own DDoS capability, known as the Low Orbit Ion Canon (LOIC) with a sustained attack. The strength of these sustained attacks in the UK is unprecedented according to Digital Attack Map.
“November 18th DDoS Attacks, courtesy of Digital Attack Map”
Furthermore, to make matters worse, ISIS has now retreated into the recesses of the Dark Web with its primary Internet capabilities, now accessible only through the use of the multi-layered onion router encryption service, known as TOR.
Communications in Plain Sight
So, how are the ISIS recruits coordinating their global terrorist attacks across the diverse geographical regions they operate in? Like every other criminal and terrorist organisation, they are making significant use of side-channel messaging technologies to orchestrate their efforts. With more than 70 terrorist attacks reported over the past 60 days (a high percentage of which were carried out by ISIS), surely they must be coordinating these attacks using highly sophisticated military grade technology that allows them to fly below the radar? This is in fact incorrect. Interestingly, it’s not hard to fly under the law-enforcement radar and communicate in secret. Criminal groups are leveraging the anonymity and encryption capabilities of modern messaging services like WhatsApp, Telegram and Sony’s PlayStation Network, that naturally provide a high degree of privacy and confidentiality from the surveillance attempts by law enforcement and the intelligence services. Furthermore, there are many, many ways to covertly share information over the Internet and criminal organisations have been doing this for years to the detriment of law enforcement and national security. Communications within Massively Multiplayer Online Game (MMOG) environments and virtual reality environments such as World of Warcraft and Second Life are great examples. In the guise of unidentifiable avatars, they wander around within limitless digital worlds and exchange messages, files, and even use dead drops to pass instructions or orders to subordinates. The scale of this problem is untenable, especially given the limited resources legitimate law enforcement and intelligence services have and the fact that every new game and social media application hitting the market these days’ creates an online community in one way or another.
What Can You Do?
It’s little wonder then that Anonymous is asking for volunteers. They released a hacking guide aimed at ‘n00bs’ (i.e. beginners) to entice them to join them the fight against ISIS. “Instead of sitting idle in the channel or lurking around and doing nothing,” their statement says, “you can benefit greatly from the different tools and guides that have been provided to you.”
Interestingly, ISIS retaliated by calling Anonymous “idiots”, and releasing their own guidelines for ISIS fighters that shows them how to protect themselves from these attacks. Needless to say, this tit for tat bickering is certainly escalating.
The question you need to ask yourself is what side of the law you want to remain on. Hacking is still illegal and anyone in business, especially operating as a security professional, needs to remember that they have an ethical code of practice they must abide by. I’ll repeat this just in case you missed it – hacking is illegal. Targeting someone’s Twitter account or website, even if they are a suspected terrorist, is against the law and you will be prosecuted.
We’ve already seen recently that an Australian member of Anonymous received a three-year sentence for trying to hack a number of different public and private servers back in 2014.
You also need to bear in mind that your uncoordinated efforts may well hamper the efforts of law enforcement. What if the Twitter account you hack is actually an undercover police account? What is that website you DoS is being used by a group planning the next attack, but is being actively monitored already by the intelligence services? You might well force the attackers onto another service that can’t be tracked. The best approach is to report anything you see or hear to the authorities and let them coordinate the approach with their national and international counterparts.
Security Management Warning
Security managers should be warning the staff they have responsibilities for that an emotional response, while expected, should not be followed up with action. Remain logical and stay within the law. Drawing negative attention to yourself or your business will not be seen as positive by customers or partners and if you happen to stumble across a suspect account or website, report it to the authorities or even your management if it’s in work.
Security managers should be setting up auditing capabilities that detect this kind of behaviour to protect the business from the risks of criminal activity.
The best approach is to leave the hacking to the intelligence services and should groups like Anonymous want to run their own operations, you can choose to show support for their cause by remaining on the right side of the law and looking but not touching.
Just remember, if you see something, say something.
