Verizon Says Hactivists Now Biggest Corporate Net Threat

← Back to Stories (view on slashdot.org)

Verizon Says Hactivists Now Biggest Corporate Net Threat

Posted by timothy on Thursday March 22, 2012 @03:42AM from the is-that-hat-dark-grey-or-light-grey? dept.

alphadogg writes "Hactivists — not cybercriminals — were responsible for the majority of personal data stolen from corporate and government networks during 2011, according to a new report from Verizon. The Verizon 2012 Data Breach Investigation Report found that 58% of data stolen in 2011 was the result of hactivism, which involves computer break-ins for political rather than commercial gain. In previous years, most hacking was carried out by criminals, Verizon said. Altogether, Verizon examined 855 cybersecurity incidents worldwide that involved 174 million compromised records. This is the largest data set that Verizon has ever examined, thanks to its cooperation with law enforcement groups including the U.S. Secret Service, the Dutch National High Tech Crime Unit and police forces from Australia, Ireland and London."

34 of 150 comments (clear)

Min score:

Reason:

Sort:

Welcome in the real world by aglider · 2012-03-22 03:43 · Score: 5, Insightful

where you need real technicians!

--
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
1. Re:Welcome in the real world by Bengie · 2012-03-22 04:17 · Score: 5, Insightful
  
  Most companies have coasted by with bad security practices, now they have to up their game. Boo f'n hoo.
  CEOs tell us "sucks to be you, suck it up" when it comes to their monopolies. I say the same thing back at them. Actually employee decent programmer, engineers, admins, and managers. Quality > Quantity?!
2. Re:Welcome in the real world by tripleevenfall · 2012-03-22 05:55 · Score: 4, Insightful
  
  The trend over the last 10 years in software development has been labor minimization, offshoring, "just meet the specs" mentality.
  Now a lot of companies are getting bitten in the rear in return for the supposed "savings" they realized over the years. Think your $1500 a year software engineers in Bangalore are going to be able to handle this...? Communication is difficult with them even when you have well defined specs - let alone when the engineer needs to be aware of current events and think of unspecified scenarios themselves.
  I think a lot of corporations are going to find out that IT staff is not dispensable in the way that, say, payroll staff became in the 1990s.
Hactivists == cybercriminals by jcaldwel · 2012-03-22 03:47 · Score: 4, Insightful

Anyone stealing personal data is a "cybercriminal". Sounds like they are playing with words.
1. Re:Hactivists == cybercriminals by X0563511 · 2012-03-22 03:51 · Score: 4, Funny
  
  Criminal. People who stick "cyber" in front of things because the innerwebs are involved need to be slapped.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
2. Re:Hactivists == cybercriminals by Anonymous Coward · 2012-03-22 03:54 · Score: 2, Insightful
  
  Anyone stealing personal data is a "cybercriminal". Sounds like they are playing with words.
  Not from the perspective of the larger companies/governments.
  While the actual action is similiar enough the result is vastly different.
  The main objective for a "cybercriminal" is to steal customer information. The end result is that the customer gets screwed over and the company gets some bad publicity that they have to deal with.
  Hacktivists on the other hand tends to look for indications that the company/government does anything illegal. This causes damage that isn't as easily passed down on the taxpayer/customer.
  I expect that we will see better security for servers and harder punishments for "cybercrime" soon.
3. Re:Hactivists == cybercriminals by Experiment+626 · 2012-03-22 03:55 · Score: 3, Insightful
  
  Agreed. It's weird how the article tries to spin them as separate things. "Most cybercrime now politically motivated" would have made for a more accurate headline.
4. Re:Hactivists == cybercriminals by jcaldwel · 2012-03-22 03:56 · Score: 2
  
  They're separating out based on motivation.
  I saw that... and that IS playing with words. In this case, a criminal is a criminal regardless of motivation.
5. Re:Hactivists == cybercriminals by Anonymous Coward · 2012-03-22 04:01 · Score: 4, Funny
  
  Surely you mean cyberslap them. Cyberhard, right into cyberteeth.
6. Re:Hactivists == cybercriminals by jellomizer · 2012-03-22 04:05 · Score: 3, Interesting
  
  Yes they are both motivated by making a lot of money. It is just that one group comes up with a lame excuse that makes it seem like they are fighting for the little guy like a robin hood... Except for the fact they are stealing form everyone and giving to themselves.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
7. Re:Hactivists == cybercriminals by davidwr · 2012-03-22 04:08 · Score: 5, Insightful
  
  As others have said, the distinction is motive.
  There is also a distinction in the damages.
  If I steal a million debit card numbers for greed, I'm going to try to cover my tracks and exploit the cards for profit. There will be tens of thousands of individuals who will suffer direct financial harm as I drain their bank accounts. Even those "made whole" by the banks will still suffer embarrassment. Their banks are also victims. Only when it is traced to the company I stole the data from do they realize they are a victim.
  If I do it for lulz, like "The Joker" on Batman, there's no telling who will be the immediate victim. Will I publicize it to embarrass the banks? Will I order adult-novelty products on the credit cards and send them to the card-owners and watch the fallout on national TV? Who knows.
  If I do it as an "activist" I'm probably only interested in hurting the company, not the cardholders. Yes, the cardholders will suffer collateral emotional damage and some will spend time or money trying to protect themselves in case I'm also motivated by greed, but the intended victim is the company I stole the data from.
  Of course, I may be targeting a third party such as a security vendor by directly attacking its corporate customers, or I may attack a government by attacking those who support it. But in each case, the owners of the bank card numbers I steal aren't going to have their bank accounts drained. Unless of course I have a little greed or I'm careless and let the numbers fall into the hands of someone who is greedy.
  
  --
  Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
8. Re:Hactivists == cybercriminals by Endo13 · 2012-03-22 04:21 · Score: 2
  
  But aside from all of that, how the hell do they even know exactly what the motivation was? Just because the intruder said so? Just because nothing bad happened immediately?
  BTW, does anyone have the contact number of the people who made this determination? I have a really nice bridge I'd like to sell them.
  Much as I like the idea of cyber Robin Hoods, you still gotta call them what they are.
  
  --
  There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
9. Re:Hactivists == cybercriminals by 0racle · 2012-03-22 04:33 · Score: 2
  
  I'm not saying they're not, but the distinction is important for the targets. A course of 'Stop being a dick' might be enough to stop being a target of this group of people.
  
  --
  "I use a Mac because I'm just better than you are."
10. Re:Hactivists == cybercriminals by jcaldwel · 2012-03-22 04:42 · Score: 3, Insightful
  
  But the motivation determines if it is a crime in the first place.
  Kill someone with malice, got to prison, kill someone in self defense, no prob.
  I don't think this article was talking about homicide.
  What motivation would make it legal to hack a government or corporate system and stealing personal data?
11. Re:Hactivists == cybercriminals by ArhcAngel · 2012-03-22 04:58 · Score: 2
  
  The kind where the hacktivist is exposing a tie between a government or corporate system and blood diamonds or oppressive regimes?
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
12. Re:Hactivists == cybercriminals by ArhcAngel · 2012-03-22 05:39 · Score: 2
  
  So basically, LIES, DAMN LIES!
  ,and statistics.
  
  I could go to homeless shelter. Ask every person there if they are homeless. Then post my statistics that homelessness has reached 100%. In microscopic print I "might" add "at homeless shelters".
  
  What's funny is when political pollsters pull these pranks and still only manage to scrounge up forty percent and change support for their candidate.
  
  --
  "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
13. Re:Hactivists == cybercriminals by Peristaltic · 2012-03-22 06:46 · Score: 2
  
  Yes, the cardholders will suffer collateral emotional damage and some will spend time or money trying to protect themselves in case I'm also motivated by greed, but the intended victim is the company I stole the data from.
  You mention "collateral damage" so casually.
  Collateral damage to innocents is usually vilified by the /. crowd when it comes about by the actions of corporations and governments/military/police, yet when a "distinction" is made for "activists" of some sort, suddenly it's not as bad, because "the intended victim is the company I stole the data from".
  Bullshit. If someone is hell-bent on tilting at some windmill... sure, a villain to them, but maybe not so much to an otherwise innocent bystander... and they hurt innocent bystanders- and they do not take the responsibility to try to make that bystander whole again, they are no different than any other entity that hurts innocents while pursuing its own agenda.
  If I'm hurt or If my property is stolen by a corrupt government or an activist, each pursuing their own agenda (that I'm not a part of) under whatever rationalization to which they subscribe, it's all the same to me if I'm still in the hole at the end of the day, figuratively or literally.
  Too many people believe that if they agree with some agenda, it's suddenly okay to hurt someone else (that's not involved) while pursuing it- without taking responsibility for their actions. If I'm not involved, and you hurt me in the pursuit of your goal without trying to make it right, I do not give a shit what your cause is- You are my Enemy.
Bad analysis by DoofusOfDeath · 2012-03-22 03:48 · Score: 4, Insightful

The truth is that hactivisism alone is not a sufficient cause of corporate data breaches. A variety of issues come into play: corporate laxity in IT, a preference for fast deployment of services over careful security scrutiny, absence of strong legal consequences against corporations for permitting data breaches, programming languages/environments that make it easy to deploy vulnerable services, lack of fine-grained data permissions at the hardware/network/OS level, etc.
Remove any one of those factors, and the rate of data breaches would likely go down significantly. I'm not sure where Verizon gets off picking just one of them.
Well gee... by JustAnotherIdiot · 2012-03-22 03:50 · Score: 5, Insightful

Maybe I'd have an ounce of sympathy if Verizon (or any ISP/phone company) didn't constantly fuck over their customers.
What goes around comes around...

--
What do I know, I'm just an idiot, right?
1. Re:Well gee... by Enderandrew · 2012-03-22 04:27 · Score: 5, Insightful
  
  We shouldn't support criminals just because they target people we don't like. Effectively that is saying that rights and protection should be applied only to those we favor in a given moment.
  And in some of these cases, passwords, credit cards and personal data was leaked publicly. So the customers are the ones suffering more than companies like Verizon.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
2. Re:Well gee... by Ihmhi · 2012-03-22 05:44 · Score: 2
  
  We shouldn't support criminals just because they target people we don't like.
  Exactly. That's why Robin Hood is unpopular and almost no one knows about him now and why he was universally hated in his own time.
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
#1 threat by Anonymous Coward · 2012-03-22 03:51 · Score: 3, Insightful

Maybe the number one threat is acting like a douche. How many large, successful companies are targetted when they don't act like that? Hey Sony, get a clue.
Crime is crime by rbowen · 2012-03-22 03:51 · Score: 4, Insightful

This is a really dangerous distinction. Crime is crime. Politically motivated crime is - what? Terrorism? I don't like where this is going.

--
Apache guy, Open Source enthusiast, runner
1. Re:Crime is crime by LordNimon · 2012-03-22 04:11 · Score: 5, Insightful
  
  I think the point is that hacktivism occurs mostly because of unethical behavior of the target companies, not because they have generally weak security or valuable data. Therefore, companies can avoid being targets of hacktivism more by avoiding unethical behavior, rather than spending millions to beef up their security.
  
  --
  And the men who hold high places must be the ones who start
  To mold a new reality... closer to the heart
2. Re:Crime is crime by DarkOx · 2012-03-22 04:49 · Score: 2
  
  No justice quite like angry mob justice!
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Activism is more visible by Hentes · 2012-03-22 04:01 · Score: 5, Insightful

When you are hacked by an activist, they will make sure that you and the rest of the world know about it. Criminals, on the other hand, try to be as subtle as possible. Some victims might not even realize that they have been breached, and even if they do it's much easier to cover up. I don't think activism surpasses crime, it's just much more visible.
Easy to protect against by Kidbro · 2012-03-22 04:11 · Score: 4, Insightful

Well, good thing then, that it's easy to protect yourself against hacktivists. Just stop being dicks.

--
May we live long and die out
Re:Which is then used for criminal activity by Opportunist · 2012-03-22 04:35 · Score: 2

Depends. If the hacktivists make the hack public and hence I know about my CC being stolen before it can be abused, I can react. Plus, my bank has no way to play dumb and pretend it was my fault that my CC number got abused.
So yes, the average hacktivist is less of a threat to me than the average for-profit hacker.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:Verizon is credible???? by Em+Adespoton · 2012-03-22 04:56 · Score: 5, Insightful

Indeed... especially in this case.
Think about how the data was generated: the data comes from reported incidents of network compromise.
EVERY hacktivist compromise will be reported by the victim, as the hactivist group has already reported it and they have a responsibility to disclose such things.
I'd bet that most intrusions and data extractions conducted by other groups (organized crime, government special ops, industrial espionage) are never reported to Verizon, therefore they wouldn't show up in the statistics. For that matter, most of these intrusions likely go completely unnoticed. Considering we've just been finding out in the last year about intrusions that have been ongoing for TEN YEARS, who's to say how many like these are still in the "unreported" category?
Without all the rhetoric, Verizon's study is really saying that intrusions reported for political reasons are more highly reported than those that both the intruder and the victim have no desire to make public. Any other conclusions involve too much conjecture (on the same level as the RIAA losing billions to piracy) unless more data is provided.
hacktivists == cybercriminals by noh8rz3 · 2012-03-22 05:19 · Score: 5, Insightful

there's a difference between hacktivists and cybercriminals? sounds like a false distinction to me.
They might be criminal, but they are NOT threat by coder111 · 2012-03-22 05:22 · Score: 3, Insightful

I consider corporations like RIAA & MPAA, BSA, and politicians lobbied by corporations to legislate censorship, spying & restrictions of internet usage the biggest threat to internet. Patents & restrictions on writing software are a close second.

When downloading or uploading information or cracking copy protection can ruin your life worse than committing grand theft or murder, I consider that action immoral and unjust. And I will consider any corporation supporting & pushing this kind of legislation a valid target.

While I agree that unlawful implies criminal, lawful doesn't necessarily mean right, and unlawful doesn't necessarily mean wrong. These days the laws are broken mess, and even when they aren't only the rich can afford to defend themselves, rendering justice system broken.

--Coder
1. Re:They might be criminal, but they are NOT threat by Enderandrew · 2012-03-22 05:48 · Score: 2
  
  Do you remember the Oklahoma City bombing?
  The terrorists in question disagreed with the federal government. They felt that the only way to enact change was to break the law. So they murdered innocent civilians, including toddlers in the daycare.
  The families of the victims were unhappy with the federal government and how the death penalty was applied in federal cases. So they wrote a law. They traveled to Washington D.C. and testified before Congress. They got their law passed less than a year after the attacks.
  Being unhappy with a system doesn't mean criminal activity is justified when you can legally make changes within the system. I was extremely unhappy with SOPA and PIPA. I spoke to my representatives. Lee Terry here in Nebraska was a co-sponsor of SOPA. After people like me explained our concerns to him, he removed his support for it. I didn't have to commit a crime just because I was unhappy with a situation.
  
  --
  http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
How reliable is this data? by __aailob1448 · 2012-03-22 05:23 · Score: 2

hacktivists, by definition, will publicize their break-ins so you can be sure they will be counted.
Common thieves and governmental spies (chinese, russians, etc.) on the other hand, might never be discovered if their level of competence is superior to that of the security administrators of a company.
Therefore, the statistics offered are very dubious and I would not be surprised if they are completely and spectacularly wrong.
Meanwhile... by Requiem18th · 2012-03-22 06:21 · Score: 2

The Legion of Doom Says Superheroes Now Bigges Business Threat.

--
But... the future refused to change.