March 1, 2011 at 9:00 AM ET
Imagine having every e-mail you've written published by hackers for the entire world to see. You don't have to stretch your imagination very far -- it's already happening to some folks.
Meet the new face of computer hacking. Inspired by the success of WikiLeaks, stealing and disclosing data is the new form of Internet revenge -- and chaos. There's concern that a new generation of WikiLeaks imitators will come along and use widespread dissemination of embarrassing information as its weapon of choice.
Hackers who call themselves Anonymous -- the group that has gained notoriety for attacking Visa and MasterCard in defense of WikiLeaks -- broke into computers operated by a government contractor named HBGary Federal in early February. Once inside, Anonymous members wreaked all kinds of electronic havoc, including the theft of thousands of employee e-mails. These were then published in searchable form on a Web site similar to WikLeaks, leading to a host of embarrassing disclosures for HBGary employees. The incident drew so much attention that it was featured in a recent segment on “The Colbert Report.”
At the world’s largest computer security conference in San Francisco last month -- RSA USA -- the attack dominated conversations outside meeting rooms.
But lost in the noise and the embarrassment was this chilling truth: It could happen to you. In the old hacker world, it was enough to deface a company's Web site and put up a sarcastic, embarrassing message. The HBGary e-mail history incident -- stealing data, publishing it online, and creating an easy-to-use search engine that encourages its spread -- takes the game to a whole new level.
“Leaking has gone mainstream,” said Mikko Hypponen, chief research officer at Finland-based F-Secure.com. “It's likely this phenomenon isn't going to go away, and we will be seeing leak sites for years to come.”
In the aftermath of the WikiLeaks controversy over the release of secret U.S. diplomatic cables last fall, security research firm McAfee predicted that so-called hacktivism would take an aggressive new turn this year. Traditional electronic activists were generally content to perform online versions of sit-ins, temporarily disabling Web sites of targeted entities with denial-of-service attacks. The spreading of previously non-public information through a sophisticated network of Web sites beyond the reach of law enforcement is a far more effective -- and potentially damaging -- form of online protest.
In fact, security experts openly fretted at the security conference that WikiLeaks imitators will soon become commonplace. And unlike WikiLeaks, not all imitators will consider their work to be goal-oriented hacktivism. In other words, they may not go to any trouble to redact information prior to publication in an attempt to avoid collateral damage to innocent bystanders. Some may simply be motivated by creation of pure anarchy.
"The question is, will the advent of WikiLeaks trigger a mass distribution of information from the hidden depths of public and private entities?" said Jeff Bardin, founder of security research firm Treadstone LLC.
Most who examined the HBGary incident came away with the view that CEO Aaron Barr willingly put a target on his own back by threatening to publicly expose members of Anonymous. And since the release of the e-mails, several important discoveries have been made, suggesting the firm was part of a conspiracy to discredit WikiLeaks in advance of upcoming data leaks that could embarrass prominent U.S. companies.
On the other hand, many of the e-mails contained innocuous information, such as personal life details, information that could lead to identity theft, or potentially humiliating online purchases. It’s important to note that both senders and recipients of the e-mails were made public, meanings hundreds -- if not thousands -- of outsiders were also dragged into the HBGary disclosure. Nearly everyone interviewed at the RSA conference in February had searched the database to see if their name and e-mail was in it.
"This goes way beyond exposing wrongdoing, though there was wrongdoing exposed by the e-mail," said Kevin Poulsen, author of the new book “Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground.” Poulsen is also senior editor at Wired.com
Stealing someone's e-mail and publishing it online, regardless of the impact on innocent bystanders, is hardly new. It happened when a criminal stole Sarah Palin's e-mails during the last presidential campaign, and it's happened to plenty of so-called "white hat" security researchers in the past. The Anonymous incident is different, however, because the group made it so easy for others to search the e-mails for embarrassing details.
"It's the sophistication with which they put it out there that's different," Poulsen said. "That was clearly WikiLeaks-inspired."
Gregg Housh calls himself an Internet activist who has been associated with Anonymous in the past. He describes himself as an avid observer of Anonymous, and he has at times served as the group’s public face. He said Anonymous had no concerns about such collateral damage when it published the data, and probably won't think much about that going forward.
"That's just the way it’s going to have to be now," he said. "It didn't have to go this way, but many people in your field (journalism) failed us. ... It was only natural that something would show up and replace it. I don’t see anyone at all, even slightly, caring about what happened. For the most part the Anons who did it feel like messengers. It's Aaron's (Barr) fault it happened and all blame should be put squarely on his shoulders."
Housh agreed to act as a go-between for msnbc.com to get thoughts from Anonymous members, and said a spokesman from the group offered this response: "In all honesty, we didn't care what was in these e-mails, let alone what damage they might have caused. We were focused on getting revenge on Aaron Barr, everything else was just a bonus -- we don't regret what was uncovered and we'd do it again a thousand times over."
Barr resigned from HBGary on Monday, according to Forbes.com. Anonymous, meanwhile, knocked the website for Americans for Prosperity offline. That conservative organization has been very active in the Wisconsin standoff over collective bargaining rights, spending more than $400,000 in TV ads in support of Republican Gov. Scott Walker's plan to take away union bargaining rights.
In a press release attributed to the group, Anonymous said it was taking on the billionaire Koch brothers, who fund Americans for Prosperity.
"Their actions to undermine the legitimate political process in Wisconsin are the final straw. Starting today we fight back," the press release said.
Anonymous acts much like a traditional hacktivist group, having planned several old-fashioned denial-of-service attacks in support of WikiLeaks and other causes. But theft and distribution of data as a method for revenge will likely bleed into pure anarchy, experts worry.
"The evidence is thin at this point but I think we will see a lot of that in the future," Poulsen said. "Intruders motivated by ideology and revenge, hacking for the purpose of shaming."
Such groups will be particularly troublesome because, unlike WikiLeaks, they will have little to lose. WikiLeaks had donors to please, Poulsen said, and leader Julian Assange showed signs that he was motivated by a quest for credibility. As a result, the Web site improved efforts over time to remove information that might cause collateral damage from its releases, at one point experimenting with eliminating all proper nouns from some document dumps.
"We will not see that from copycat groups,” Poulsen said. “They don't care about respectability. They have no interest in fundraising."
One reason Poulsen thinks a rash of copycats might be coming: It's often easier to hack into mail servers than other computer targets. Until recently, hackers seemed primarily interested in stealing financial information for personal gain. That means computer firms have spent most of their energy protecting computers which host that valuable data. But it also means that many have taken their eye off the ball when it comes to other servers, which were thought to be unattractive targets.
Internet users have always been told that anything they write in an e-mail could end up in court, or in front of a boss's prying eyes. Now more than ever, that warning should be heeded: Don't type anything on a keyboard that you wouldn't want the entire world to see. Even if you feel like your company’s servers could never be hacked, can you trust every company you ever e-mail?
And here's another piece of advice from Poulsen.
"Don't piss off Anonymous," he said.
Bardin is not quite as pessimistic as some of his peers. He thinks the current trend of leaked and hacked information being splattered all over the Internet will not continue unabated. A combination of improved security techniques, and the establishment of alternate channels for airing government and corporate gripes, will ultimately slow down WikiLeaks imitators, he thinks.
"We are seeing the spikes of those releases until controls are put in place and it becomes a method of ethical disclosure as opposed to a state of information disorder," he said.
RED TAPE WRESTLING TIPS
Hypponen said that even though he believes the likelihood that the average Internet user will get caught up in an Anonymous-style disclosure is small, there are some common-sense steps users can take to protect themselves.
“It might be worth considering deleting all e-mails that would be older than, say, six months. You could archive older e-mails to an offline storage that could not be reached by an online attacker. This would at least limit the amount of damage that could be done,” he said. “And of course, create a smart password and authentication policy and follow it through.”