Hacktivism: An Emerging Threat to Diplomacy By Dorothy E. Denning

Hacktivism: An Emerging Threat to Diplomacy

When hackers with political agendas attack your computer systems, you'd better be prepared to fight back.
By Dorothy E. Denning

In September 1999, a group of hackers defaced the Web site belonging to the U.S. embassy in China. They replaced the home page with racist and anti-government slogans and prominently displayed their name, Level Seven Crew, at the top of the page. They made reference to a "war of skill" against the FBI, apparently triggered by FBI raids against members of the hacking group Global Hell, some of whom also belonged to Level Seven.

Level Seven and Global Hell typify a breed of hackers who exploit or attack computers and networks for more than just the thrill and challenge, and for reasons other than money. They are activists, and they use their computer skills to make political statements and protest actions by government and industry. Thus, they bridge the realms of hacking and activism, operating in a domain that is now called "hacktivism." Although hacktivism is not entirely new, the development of the Internet, especially the World Wide Web, has led to an explosion of activity and to new forms of attack. Because incidents are often reported in the media, operations can generate considerable publicity for both the activists and their causes.

Hacktivism brings the methods of guerrilla theater and graffiti to cyberspace. It can be conducted by individuals acting alone or, as is often the case, in groups and coalitions. It can exhibit elements of art and theater. It can even be humorous. But it is not benign, and it threatens U.S. embassy computers and diplomatic missions. It can compromise sensitive or classified information and sabotage or disrupt operations. At the very least, it can be an embarrassment to those attacked and erode public confidence in the U.S. government.

How Hacktivists Work

Hacktivists engage in a variety of operations. These include espionage and intelligence operations, Web defacements, Web sit-ins, denial-of-service attacks, e-mail bombings, and computer virus launchings. These operations are facilitated by software tools which are readily available to anyone on the Internet. In June 1999, Ray Kammer, director of the National Institute of Standards and Technology, told the House Science Subcommittee on Technology that at least 30 computer attack tools were written and published on the Internet per month, by their estimates. He also said that one popular Web site had over 400,000 unique visitors per month downloading attack tools. With some tools, it is not even necessary to download and install the software. A perpetrator can go to the Web site, type in the address of the target, and click a button to launch the attack. One such site claims it will launch a WinNuke attack, which effectively crashes computers that are running Windows and are vulnerable to the attack.

Hacktivists conduct their espionage and intelligence operations by breaking into computer systems and by intercepting network traffic with "sniffer" programs. Sniffers are typically used to collect user names and passwords, thereby facilitating subsequent break-ins, but they may also used to pick up e-mail and other types of network traffic. Once inside a computer system, intruders can search for categories of information and download documents and e-mail. The information acquired from such operations could undermine U.S. diplomatic missions if made public or given to other governments. For example, hacktivists might expose negotiating strategies or confidential discussions.

The most popular form of hacktivism involves defacing Web pages. Since 1995, when the earliest incidents were reported, there have been over 5,000 defacements, according to Attrition.org. The growth rate in recent years has been enormous, with 4 in 1995, 18 in 1996, 28 in 1997, 233 in 1998, and 3,736 in 1999. The attraction to hacktivists is likely twofold. First, it can bring considerable publicity. Even if it does not hit the mainstream media, the hacktivist's work is mirrored on Attrition.org's Web site and available for anyone in the world to see. Second, it can be relatively easy to perform if the Web server is not adequately protected.

Numerous Web sites were hacked during the Kosovo conflict in 1999. According to reports, the American hacking group called Team Split posted statements such as "Tell your governments to stop the war" on U.S. government Web sites, while the Kosovo Hackers Group, a coalition of European and Albanian hackers, replaced at least five sites with black and red "Free Kosovo" banners.

In the wake of NATO's accidental bombing of China's Belgrade embassy in May 1999, angry Chinese allegedly hacked several U.S. government sites. The slogan "down with barbarians" was placed in Chinese on the home page of the U.S. embassy in Beijing, while the U.S. Department of Interior Web site showed images of the three journalists killed during the bombing, crowds protesting the attack in Beijing, and a fluttering Chinese flag. A Department of Energy Web page displayed the message "Protest U.S.A.'s Nazi Action!"

Hacktivists have also defaced Web sites belonging to the U.S. embassies in Belgium and in Bosnia-Herzegovina. Doctor Nuker, a founder of the Pakistan Hackerz Club, claimed credit for the attacks and posted images with messages "Stop the Indians" and "Save Kashmir." In these cases, it was obvious to any observer that the defacements were the work of hackers, who prominently displayed their affiliations on the home page. The main impact was likely embassy embarrassment and the time spent to restore the pages and install stronger security measures. Had the hackers more subtly altered the content, however, they might have undermined U.S. diplomatic missions or strained foreign relations. Web Sit-ins, E-mail Bombings
Web defacements are sometimes accompanied by more damaging activity. In June 1998, a group of international hackers calling themselves Milworm hacked the Web site of India's Bhabha Atomic Research Center (BARC) and put up a spoofed Web page showing a mushroom cloud and the text "If a nuclear war does start, you will be the first to scream." The hackers were protesting India's recent nuclear weapons tests, although they admitted they did it mostly for thrills. They said that they also downloaded several thousand pages of e-mail and research documents, including messages between India's nuclear scientists and Israeli government officials, and had erased data on two of BARC's servers. The six hackers, whose ages range from 15 to 18, hailed from the United States, England, the Netherlands, and New Zealand.

In August 1999, Web defacements led to a cyberwar between hackers in China and Taiwan. Initially, Chinese hackers defaced several Taiwanese and government Web sites with pro-China messages saying Taiwan was and would always be an inseparable part of China. "Only one China exists and only one China is needed," read a message posted on the Web site of Taiwan's highest watchdog agency. Taiwanese hackers retaliated and planted a red and blue Taiwanese national flag and an anti-Communist slogan: "Reconquer, Reconquer, Reconquer the Mainland," on a Chinese high-tech Internet site. The cyberwar followed an angry exchange by Chinese and Taiwanese in response to Taiwan's President Lee Teng-hui's statement that China must deal with Taiwan on a "state-to-state" basis.

Another popular form of hacktivism is Web sit-ins. Activists visit a Web site and attempt to generate so much traffic against the site that access by other users is impaired. The goal is to call attention to the protesters and their cause. A group calling itself Strano Network conducted one of the first such demonstrations as a protest against French government policies on nuclear and social issues. On Dec. 21, 1995, they launched a one-hour Net-Strike attack against the Web sites operated by various government agencies. At the appointed hour, participants from all over the world were instructed to point their browsers to the government Web sites. According to reports, at least some of the sites were effectively knocked out for the period.

In 1998, the Electronic Disturbance Theater (EDT) took the concept of electronic civil disobedience a step further. They organized a series of Web sit-ins, first against Mexican President Zedillo's Web site and later against President Clinton's White House Web site, the Pentagon, the School of the Americas, the Frankfurt Stock Exchange, and the Mexican Stock Exchange. The purpose was to demonstrate solidarity with the Mexican Zapatistas. According to EDT's Brett Stalbaum, the Pentagon was chosen because "we believe that the U.S. military trained the soldiers carrying out the human rights abuses." For a similar reason, the School of the Americas was selected. The Frankfurt Stock Exchange was targeted, Stalbaum said, "because it represented capitalism's role in globalization utilizing the techniques of genocide and ethnic cleansing, which is at the root of the Chiapas [region's] problems. The people of Chiapas should play a key role in determining their own fate, instead of having it pushed on them through their forced relocation (at gunpoint), which is currently financed by Western capital."

To facilitate the strikes, the organizers set up special Web sites with automated software. All participants had to do was visit one of the FloodNet sites. When they did, their browser would download the software (a Java Applet), which would access the target site every few seconds. In addition, the software let protesters leave a personal statement on the targeted server's error log. For example, if they pointed their browsers to a non-existent file such as "human rights" on the target server, the server would return and log the message "human rights not found on this server." Stalbaum, who wrote the software, characterized FloodNet as "conceptual net art that empowers people through active/artistic expression."

EDT estimated that 10,000 people from all over the world participated in the sit-in on Sept. 9, 1999 against the sites of President Zedillo, the Pentagon, and the Frankfurt Stock Exchange, delivering 600,000 hits per minute to each. The Pentagon, however, did not sit by idly. It struck back. When its server sensed an attack from the FloodNet servers, it launched a counter-offensive against the users' browsers, redirecting them to a page with an Applet program called HostileApplet. Once there, the Applet was downloaded to their browsers, where it endlessly tied up their machines trying to reload a document until the machines were rebooted. President Zedillo's site did not strike back on this occasion, but at a June sit-in, they used software that caused the protesters' browsers to open window after window until their computers crashed. The Frankfurt Stock Exchange reported that they were aware of the protest, but believed it had not affected their services. They said that they normally got about six million hits a day. Overall, EDT considered the attack a success.

EDT has used their FloodNet software against the White House Web site to express opposition to U.S. military strikes and economic sanctions against Iraq. In a "Call for FloodNet Action for Peace in the Middle East," EDT articulated its philosophy. "We do not believe that only nation-states have the legitimate authority to engage in war and aggression. And we see cyberspace as a means for non-state political actors to enter present and future arenas of conflict, and to do so across international borders." When asked about the impact of their Web strikes, EDT's Ricardo Dominguez observed that "These virtual sit-ins have captured a large amount of traditional media attention. You would not be interviewing us if this gesture had not been effective in getting attention to the issues on a global scale."

There are a variety of methods whereby an individual, acting alone, can disrupt or disable Internet servers. Such attacks are called "denial of service" attacks. They frequently involve using software tools that flood the target server with network packets. During the Kosovo conflict, Belgrade hackers were credited with conducting such attacks against NATO servers. They bombarded NATO's Web server with "ping" commands, which test whether a server is running and connected to the Internet. The effect of the attacks was to cause line saturation of the targeted servers.

In February, Amazon, Yahoo, eBay, E-Trade, ZDNet, CNN.com, Buy.com, and Excite were hit by massive denial-of-service assaults aided by the tools trinoo, Trib Flood Network (TFN), and Stacheldraht. These tools allow a perpetrator to launch a coordinated assault against one or more targets from hundreds or thousands of places at once, all controlled from a single computer. These "cooperating" computer systems are not willing participants. Rather, they are compromised by the perpetrator and become victims of the attack along with the targets, which are flooded with traffic. Stopping these attacks can be extremely difficult. Preventing them is even harder.

When large numbers of individuals simultaneously attack a designated site, such as with the EDT Web sit-ins, the operation is sometimes referred to as "swarming." Swarming can amplify other types of attack, such as a ping attack or an e-mail bombing.

With e-mail bombing, hacktivists send thousands of messages, often with huge file attachments, to their targets. The effect can be to jam a recipient's incoming e-mail box, making it impossible for legitimate e-mail to get through. Although e-mail bombs are often used as a means of revenge or harassment, they have also been used to protest government policies.

In what some U.S. intelligence authorities characterized as the first known attack by terrorists against a country's computer systems, ethnic Tamil guerrillas were said to have swamped Sri Lankan embassies with thousands of electronic mail messages in 1998. The messages read "We are the Internet Black Tigers and we're doing this to disrupt your communications." An offshoot of the Liberation Tigers of Tamil Eelam, which had been fighting for an independent homeland for minority Tamils, was credited with the attack.

The e-mail bombing consisted of about 800 e-mails a day for about two weeks. William Church, editor for the Centre for Infrastructural Warfare Studies (CIWARS), observed that "the Liberation Tigers of Tamil are desperate for publicity and they got exactly what they wanted. ... Considering the routinely deadly attacks committed by the Tigers, if this type of activity distracts them from bombing and killing then CIWARS would like to encourage them, in the name of peace, to do more of this type of terrorist activity." The attack, however, was said to have had the desired effect of generating fear in the embassies.

During the Kosovo conflict, protesters on both sides e-mail bombed government sites. According to PA News, a British news service, NATO spokesman Jamie Shea said their server had been saturated at the end of March by one individual who was sending them 2,000 messages a day. Fox News reported that when California resident Richard Clark heard of attacks against NATO's Web site by Belgrade hackers, he retaliated by sending an e-mail bomb to the Yugoslav government's site. Clark said that a few days and 500,000 e-mails into the siege, the site went down. He did not claim full responsibility, but said he "played a part." That part did not go unrecognized. His Internet service provider, Pacific Bell, cut off his service, saying his actions violated their spamming policy.

Hacktivists have used computer viruses to spread protest messages and damage target computer systems. During the Kosovo conflict, several organizations received virus-laden e-mails from a range of Eastern European countries. According to mi2g, a London-based Internet software company, "The contents of the messages are normally highly politicized attacks on NATO's unfair aggression and defending Serbian rights using poor English language and propaganda cartoons."

Detect and Protect

Hacktivism poses a genuine threat to U.S. government operations, particularly abroad. As such, Foreign Service employees must take it seriously. Fortunately, defending against it is not much different from defending against any type of cyberattack. The first step is to establish an information security policy. The policy should define roles and responsibilities for protecting information resources, including computers, networks, and information in all its forms.

Next is securing the human element. Employees need to be advised of threats, countermeasures and their responsibilities for safeguarding information. They especially need to bear in mind that many hackers get passwords and other sensitive information by conning them out of employees (a tactic hackers call "social engineering"). Security training and awareness are therefore crucial.

Information must be protected not only in storage but in transit over computer and telecommunications networks. This requires a combination of safeguards, including access controls, authentication, encryption, intrusion and misuse detection, and malicious code detection.

Access controls, including computer and network login controls, firewalls, and application-layer controls, prevent unauthorized access to information resources. Such controls can be applied to individual documents and records or to complete systems.

Authentication mechanisms validate the identity of users and other entities, including networked computers. Mechanisms include passwords, access tokens, biometrics, cryptography, digital signatures and location signatures. Without adequate authentication, access controls are useless, since hacktivists can impersonate legitimate users and gain access to computers and networks.

Encryption, or the process of scrambling data into something that is unintelligible, can protect data transmitted over open computer networks and phone lines (fax and voice) from sniffers. Similarly, it can protect data stored on computers, which are vulnerable to physical theft and unauthorized access.

Intrusion and misuse detection systems operate on the principle that it is not feasible to prevent all attacks, particularly those by insiders, but that such attacks follow identifiable patterns or deviate from normal usage in identifiable ways. By monitoring system behavior and file activity, either from audit records or in real time, these systems attempt to detect intrusions by outsiders and misuse by authorized persons. They can detect modifications to Web sites and denial-of-service assaults. Online systems may be integrated with other access controls and manual auditing procedures to detect and thwart penetration attempts.

Anti-viral tools that detect and eradicate viruses, worms and other forms of malicious code are essential. These tools scan for patterns in files, e-mail attachments, and software downloaded from the Web. The tools must be kept up-to-date, however, as new viruses emerge continuously. In addition to employing these mechanisms, systems administrators need to monitor their systems for vulnerabilities and install security patches when they are released. Intruders typically break into computers by exploiting known vulnerabilities in systems that are not properly configured or maintained.

Finally, remember that no system is perfect. Thus, any information security program must plan for the worst and be prepared to respond quickly and effectively to any incidents that arise. This includes developing procedures for handling incidents and establishing contacts with law enforcement agencies.

Dorothy E. Denning is a professor of computer science at Georgetown University, where she also serves as a faculty mentor to students in the Science and Technology in International Affairs program of the School of Foreign Service.