Computer hackers supporting Julian Assange, the founder of WikiLeaks, have recently attacked the websites of businesses such as Mastercard and Amazon. What’s going on? Simon Wilson reports.
What has happened?
Anonymous, the collective of computer hacker activists who see themselves as guardians of internet freedom, last week launched the highest-profile (though not biggest) ‘denial-of-service’ attacks yet mounted. Using social media to rally their forces, they showed their support for Julian Assange, the WikiLeaks founder arrested over allegations of sexual assault unrelated to his work, by trying to flood the websites of firms opposed to WikiLeaks. These included Visa, Mastercard, PayPal and Amazon.
What’s a denial of service?
‘Distributed denial of service’ attacks (DDoS) are not new, nor particularly technically complex. It is simply an attempt to shut down a website by clogging it up – flooding it with a huge number of simultaneous requests for data. It’s a pretty crude form of protest – a kind of cyber blockade, rather like a crowd of people deciding to put a big supermarket out of action by all turning up at the same time, blocking the aisles and asking staff thousands of questions. In effect, it’s an online flash mob making a political point, albeit illegally.
Is it enough to shut down a major website?
Yes, though often not for long. The typical method is to use a ‘botnet’ – a network of thousands of computers working in tandem, built by using malicious software to commandeer thousands of poorly guarded computers over the internet, and take them over (making them ‘zombies’). The person building the botnet is known as a ‘bot-herder’. Each zombie can then (in this case) fire thousands of data requests per second at a particular website, causing it to crash. It’s the same principle that organised fraudsters use to send out spam. A Russian man who went on trial in Wisconsin last week had allegedly used a botnet to send up to ten billion messages a day, or up to a third of the world’s unsolicited e-mail.
Is it difficult to pull off?
It’s alarmingly easy, especially if you have lots of volunteer bot-herders joining forces. In the case of Operation Payback (the pro-Wikileaks campaign), reports suggest that organisers may be co-ordinating up to 100,000 computers in all, and that they have persuaded more than 2,000 people to put botnet software onto their own computers to help. Police sources suggested that the 16-year-old boy arrested in the Netherlands in connection with the attack is much more likely to be one of the botnet donors, rather than the main instigators. Botnet software is available online for anyone who wants to find it – you can build your own botnet for less than $1,000.
Who else has been targeted?
In the past, most major ‘hacktivist’ protests have been politically motivated. Chinese hackers targeted US government sites after Nato missed its target and bombed the Chinese embassy in Belgrade in 1999. Russians attacked Estonian sites over plans to remove a Soviet-era statue. The Anonymous group has disrupted a wide range of sites, reflecting the so-called “hive mind” mentality: previous targets include a white supremacist group, YouTube, and (its favourite target) the Church of Scientology.
How worried should businesses be?
They shouldn’t panic. Apart from a welter of publicity, the most protestors managed to achieve last week was briefly to take down web pages operated by Visa, Mastercard, PayPal and the Swiss bank PostFinance. In the case of PayPal, the only page that went down was the company blog. There “wasn’t any really significant damage, not to any critical infrastructure”, Craig Labovitz of security firm Arbor Networks told the San Francisco Chronicle. The biggest volume of data used in a denial-of-service attack last year was 49 gigabits per second; last week’s attacks were pretty small beer, only “a couple of gigabits”, said Labovitz. But that doesn’t mean businesses can ignore the issue.
Why not?
Typically, politically motivated ‘hacktivists’ are not necessarily out to cripple businesses; their attacks are mostly about publicity. Obviously, if the frequency of anti-business protests grew, that has implications for brand and reputation management. To date, however, the businesses most affected by DDoS and similar attacks have been online casinos, which have been subject to frequent attempts at extortion by criminal hackers, as opposed to politically motivated ‘hacktivists’. As The Economist pointed out last week, constantly improving technology has led to an explosion in corporate data, which businesses (like governments) must work harder to protect in future. But the major threat to businesses, particularly those based on e-commerce or a web presence, is much more likely to be in dealing with organised criminals than with internet libertarians.