Monday, May 30, 2011

Everything is Moving to the Cloud... Even Hacking?

I promise that this won't be a buzzword-laced post about the benefits of cloud computing, the continuous move to store all our information online, or the pros and cons of relying on off-site storage. However, an interesting trend has been cropping up in terms of cloud computing and network security: the use of "the cloud" as a launching point for cyber attacks. One of the most notable incidents (and the one that inspired this post) was that of the cyber attack on Sony's Playstation Network. One of the big differences between that attack and more "conventional" hacks is that the attackers were able to harness the power of cloud computing to launch their attacks rather than relying on local servers or widespread botnets. I believe that this will quickly become a trend, if not the norm, for cyber attacks in the future. The anonymity of a cloud-based launching point, its ease-of-use, availability, power, and low costs combine to make using the cloud to launch a cyber attack not only feasible, but also tempting.

When Sony released information about the attack, one of the more noteworthy facts was that the attacked had been launched from Amazon's EC2 cloud computing infrastructure. Although hackers have previously used rented servers, this attack marks one of the most significant cases of late where a service such as Amazon's has been abused in such a manner. No longer are the masterminds behind cyber attacks required to purchase server space from shady third parties in unknown countries. Instead, they can use a legitimate service, at a fraction of the cost and with more power (Amazon's cloud is notoriously resilient).

In terms of anonymity, using cloud based services doesn't necessarily decrease your chances of detection, but it does add another layer. Now, law enforcement investigators will need to subpoena Amazon, search their records, find connecting computers, and trace from there. It's another step that only adds time and could possibly aid attackers. Renting a server and service from Amazon is as simple as signing up with a fake account and a fake credit card, something to which cyber criminals undoubtedly have easy access. In addition, using an Amazon server to launch an attack is like hiding behind a proxy without the obnoxious bandwidth reduction. Now, attacks can be launched at full speed, without being channeled through proxies. Only the commands sent to the servers need to be sent through proxies to obfuscate the identity of the attacker.

Amazon has an amazing infrastructure and you can be assured that hackers will continue to exploit it mercilessly. A question that needs to be asked, however, is how will Amazon protect against outbound attacks? They have demonstrated (for the most part) that they can secure their infrastructure from attack. But what happens when that infrastructure is doing the attacking itself rather than being attacked? Hopefully Amazon will be able to implement security that can prevent the abuse of its services.

Sunday, May 8, 2011

Sony and Anonymous

When discussing online intrusions, hacks, and denial of service incidents, one of the primary questions posed is: "who did this?" Obviously, the company under attack has a direct obligation to its customers to both repair the damage and implement preventative measures. However, an organization today known as "Anonymous" is increasingly challenging the ability to pinpoint a direct source of an attack. Anonymous is neither a collective group nor a dedicated few individuals; it is everywhere, at any time, consisting of whomever so desires to be a part of it. Do I think that Anonymous attacked Sony? No. However, this makes it difficult for Sony because if Anonymous is not a group or a defined set of people, how can it be said that the hacking attempt wasn't Anonymous?

In my opinion, Sony needs to determine who made the attack, and for this reason they have listed Anonymous as the perpetrator. Regardless of its innocence, Anonymous will take the blame because it is not defined, and there is no way to prove it wasn't the group. How can we prove that it wasn't Anonymous if the entire point of the organization is to claim that it is everywhere? If one person "joins" Anonymous, then later, with several other people who have also "joined," commit a service disruption, is that the action of Anonymous or not? How many people does it take to form "Annonymous?" Since there are no statistics on the size of the group, one hundred people could make up 70% of the organization on Monday but only 10% on Tuesday.

As odd as it may sound, I think that most people in the tech community believe Anonymous when they say they aren't seeking credit card numbers. The group as a whole seems to pursue what they feel are moral crusades and stealing customer data doesn't seem to align with the past. However, it is hard to pinpoint a motive for the group, and there certainly be members who elect to pursue more damaging attacks than the rest of the organization. Regardless, Sony will most likely continue to blame the group as a whole. Since Anonymous wants to be anonymous, it can use the shield of anonymity to protect it, but it may also come back to harm them later as well.