Last month, the US media group PBS ran a strange story on its Web site. “Prominent rapper Tupac has been found alive and well in a small resort in New Zealand,” it reported. “The small town — unnamed due to security risks — allegedly housed Tupac and Biggie Smalls [another rapper] for several years.”
For two reasons, this was a surprising piece of journalism. First, Tupac died in 1996. Second, the piece wasn’t written by PBS. It had been planted on their site by a group called Lulz Security, a loose collective of anonymous hackers who wanted revenge for a recent PBS program that criticized WikiLeaks. “Greetings, Internets,” Lulz wrote on their own Web site, by way of explanation. “We just finished watching WikiSecrets and were less than impressed. We decided to sail our Lulz Boat over to the PBS servers for further ... perusing.” Above the message read the tagline: “Set sail for fail!”
It was an extraordinary episode, but by no means isolated. In March, hackers stole a database of e-mail addresses from the marketing group Epsilon, in what one commentator called the largest e-mail address heist in history. Then computer security firm RSA had their servers breached, an attack that may have led to the hacking of defense giant Lockheed Martin, an RSA client. In April, person unknown cracked Sony’s PlayStation network, and stole 77 million users’ data. And in the past month, the IMF, CitiBank, the Spanish police, Google, the Turkish and Malaysian governments, the US Senate, and, just two nights ago, the CIA have all been hacked in one form or other.
GRAPHIC: TT
It is tempting to consider this a kind of hackers’ high noon. But, says Richard Clayton, a prominent computer scientist at Cambridge University, conflating these different attacks is a “bit like treating knife crime as the same as burglary.” In simple terms, there are three kinds of attack taking place. Hacktivism is the most prominent: Raids by amateur groups such as Lulz (who took down sites belonging to the CIA, the Senate, and the Spanish police) or Anonymous (PayPal, PlayStation, MasterCard, and Visa), either for fun, “for the lulz” — or, increasingly, as an act of political protest. Then there’s the criminal kind — professionals hunting for credit card details, or e-mail address directories, with the aim of selling them on for profit. While the PlayStation systems were first hacked by hactivists, a second breach was made by cyber criminals who had more commercial ends. And finally, there’s state-sponsored espionage, or even cyber-warfare. “Google, RSA, Lockheed Martin, IMF — the strong suspicion is that all those were state-sponsored, or state-approved,” says Dave Clemente, a cyber security expert at Chatham House, the international affairs think tank. “Whether it’s Chinese, or Russian, or eastern European, a lot of these hacks seem to have been given a wink and a nod of tacit approval from states.”
Are all three categories really on the rise? Well, possibly. “It’s difficult to substantiate whether there’s more going on or not,” says Rik Ferguson, director of security research at computer protection firm, TrendMicro. “What’s certainly true to say is that more attacks are being publicly disclosed. Victims are more willing to come forward and say ‘something bad happened to us.’” Disclosure laws obliging companies to come clean about data breaches have been in place in many parts of the US for several years. But the real turning point, says Ferguson, came only a year ago, when Google went public with the news that it had been hacked by Chinese sources. “That got the ball rolling,” Clemente says. “It suddenly seemed more permissible to report a hack. Getting hacked doesn’t seem to have the stigma that it did several years ago, and there’s not a feeling now that you’re on your own if you get hit.”
But even if increased openness is in part to thank for the apparent hike in hacking, there has still been an exponential rise in the number of cyber threats. In 2008, security giant Symantec counted 120 million malware variants; last year, that figure had risen to 286 million. Symantec security strategist Sian John has also noted a large increase in what are known as “targeted attacks.” A decade ago, a hacker would usually have intended a single virus to reach millions of people. Today, the average number of computers infected by an individual malware is just 15, and that is because hackers are using a new tackle called spear-fishing, which enables them to be more specific about who they target. “In the past, if you got a phish attack, it would be from a Nigerian offering you lots of money,” John says. “Now it’ll be from someone saying: ‘Oh, we saw you at that conference last week. Here’s some minutes of that conference.’” And contained within those minutes will be a virus.
This kind of targeted attack has become so dangerous because of the amount of information we divulge on the Internet. “One of the first places a hacker will visit is LinkedIn,” Ferguson says. “What do we do on there? We make our entire CV available for the world to see. You can see everywhere I’ve worked in the past. You can see all my connections, see everyone I’ve worked with, everyone I know. So a hacker can assume one of those people’s identities and reference things that have happened in my professional life. And I’m far more likely to open an attachment from your e-mail, because it’s far more credible.” Unsurprisingly, then, Ferguson’s job involves not just infiltrating black-hat hacking communities online, but training office workers to be more aware of social engineering ruses such as these. (Security experts have also been known to test a company’s defenses by leaving infected USB sticks lying around and seeing whether anyone picks them up out of curiosity. In 2008, US military computers were breached in this way, according to rumor, after hackers scattered USBs across a car park at a US base in the Middle East.)
Targeted attacks are also popular because they enable cyber-criminals to go after individuals with access to large banks of information. “Criminals,” says Ferguson, “have realized they can get more bang for their buck if they can penetrate a large aggregation of data in one single successful attack, rather than trying to compromise multiple individual PCs.” Hence the hacking of Epsilon, which at a single stroke may have given hackers access to millions of e-mail addresses.
The most audacious example of a targeted attack is thought to be an act of espionage rather than criminal activity. Last year’s Stuxnet worm supposedly worked its way through the Iranian military computer system with a single goal: to damage the centrifuges that controlled the country’s uranium enrichment program. But while, according to John, “Stuxnet is the most sophisticated piece of malware we’ve ever seen,” most hacking techniques have not necessarily changed much in recent years.
“They sound rather complicated,” says David Whitelegg, who blogs at ITSecurityExpert.co.uk, “but really they are often no more sophisticated than they’ve ever been.” The malware that led to the hacking of security giant RSA may have been a “zero-day attack” — ie, it had never been seen before — but the method of infection was nothing new. “At the end of the day, a user within that company opened an e-mail. It went into his spam box, he opened it, and that launched the attack. And that’s the way it’s always been.”
Direct denial of service attacks (DDoS) — the method employed by Anonymous to take out PayPal, Mastercard and Visa by overloading them with hits — are also nothing new. “DDoS has been around for years,” Whitelegg says. “There’s nothing you can do about it.”
But even if their methods are old, the arrival of groups such as Anonymous and its offshoot Lulz Sec does mark a changing of the guard. “Hactivism is definitely on the rise,” Ferguson says. “Anonymous were previously quite a cliquey underground community. But as the WikiLeaks thing unfolded, and they gave their support to Julian Assange, and they began to attack organizations they felt were treating WikiLeaks unfairly, they have garnered a lot of coverage. They’ve associated themselves very cleverly to V for Vendetta, a popular film with a popular image and well-known taglines such as ‘We are Legion.’” New members have also realized how simple it is to join the group. “If they want to participate, it’s very easy for them to download a tool that hands over your computer to Anonymous” — and which then allows them to take part in DDoS attacks.
Yet if their rise is partly down to greater exposure and clever associations, it is also undeniably linked to a growing political consciousness throughout the cyberspace community. The anarchist collective Deterritorial Support Group recently posted an essay entitled “Twenty Reasons Why it’s Kicking Off in Cyberspace,” which aimed to explain the recent rise of Anonymous and Lulz. “Make no mistake,” they wrote, “this is not a minor struggle between state nerds and rogue geeks — this is the battlefield of the 21st century, with the terms and conditions of war being configured before our very eyes ... At the heart of it is a newly politicised generation of hackers who have moved from a lulz-based psychic-economy to an engaged, socially aware and politically active attitude towards world events, primarily as a reaction to the way governments and multinationals dealt with the fallout of WikiLeaks.”
Such political development engagement raises new moral questions. A Lulz attack on, say, the CIA, is primarily an act of protest — a Web-based sit-in, if you like. “And if the police are wary of arresting people for taking part in a real-life sit-in,” Ferguson asks, “then why are they so willing to arrest people for the digital equivalent?” In other circles, however, such actions are considered less protest, and more acts of war. “Cyberspace,” read a Chatham House cyber security report from last year, “should be viewed as the ‘fifth battlespace,’ alongside the more traditional arenas of land, air, sea and space.” Significantly, the report also noted that “in cyberspace the boundaries are blurred between the military and the civilian, and between the physical and the virtual; and power can be exerted by states or non-state actors, or by proxy.”
It is tempting to think of this kind of debate as irrelevant to our everyday lives. Symantec says mobile phone technologies will be hacking’s next target, and perhaps it is physical problems such as this that we should be more concerned about. But as we increasingly live more of our lives online, and as that boundary “between the physical and the virtual” is increasingly blurred, perhaps it is the conceptual questions posed by hacking that will ultimately prove more significant.
Recently the Chinese Nationalist Party (KMT) and its Mini-Me partner in the legislature, the Taiwan People’s Party (TPP), have been arguing that construction of chip fabs in the US by Taiwan Semiconductor Manufacturing Co (TSMC, 台積電) is little more than stripping Taiwan of its assets. For example, KMT Legislative Caucus First Deputy Secretary-General Lin Pei-hsiang (林沛祥) in January said that “This is not ‘reciprocal cooperation’ ... but a substantial hollowing out of our country.” Similarly, former TPP Chair Ko Wen-je (柯文哲) contended it constitutes “selling Taiwan out to the United States.” The two pro-China parties are proposing a bill that
Institutions signalling a fresh beginning and new spirit often adopt new slogans, symbols and marketing materials, and the Chinese Nationalist Party (KMT) is no exception. Cheng Li-wun (鄭麗文), soon after taking office as KMT chair, released a new slogan that plays on the party’s acronym: “Kind Mindfulness Team.” The party recently released a graphic prominently featuring the red, white and blue of the flag with a Chinese slogan “establishing peace, blessings and fortune marching forth” (締造和平,幸福前行). One part of the graphic also features two hands in blue and white grasping olive branches in a stylized shape of Taiwan. Bonus points for
March 9 to March 15 “This land produced no horses,” Qing Dynasty envoy Yu Yung-ho (郁永河) observed when he visited Taiwan in 1697. He didn’t mean that there were no horses at all; it was just difficult to transport them across the sea and raise them in the hot and humid climate. “Although 10,000 soldiers were stationed here, the camps had fewer than 1,000 horses,” Yu added. Starting from the Dutch in the 1600s, each foreign regime brought horses to Taiwan. But they remained rare animals, typically only owned by the government or
“M yeolgong jajangmyeon (anti-communism zhajiangmian, 滅共炸醬麵), let’s all shout together — myeolgong!” a chef at a Chinese restaurant in Dongtan, located about 35km south of Seoul, South Korea, calls out before serving a bowl of Korean-style zhajiangmian —black bean noodles. Diners repeat the phrase before tucking in. This political-themed restaurant, named Myeolgong Banjeom (滅共飯館, “anti-communism restaurant”), is operated by a single person and does not take reservations; therefore long queues form regularly outside, and most customers appear sympathetic to its political theme. Photos of conservative public figures hang on the walls, alongside political slogans and poems written in Chinese characters; South
RSS