It is December 2012. I’m sitting in a courtroom at London’s Southwark Crown Court listening to a prosecutor outline the crimes of Christopher Weatherhead, a pasty 22-year-old Northampton University student and one of the key members of the global hacktivist group, Anonymous.
After a lecture on the methods employed by the hacker, which included a distributed denial of service (DDoS) attack that took down PayPal for ten days, the man, nicknamed Nerdo, was sentenced to 18 months in prison. Why did the group plan the attack that resulted in losses of £3.5 million (about Dh18.8 million) for the company? It was revenge for PayPal’s decision to block donations to WikiLeaks.
Hackers aren’t a new phenomenon. They have even entered pop culture with movies like Hackers, The Matrix and Swordfish. But while they were then seen as cool, anti-authoritarian figures, they are now the new cyberterrorists, using technology to bomb data networks and disable organisations.
As these threats have begun emerging close to home, these topics will be addressed in the upcoming Gulf Information Security Expo and Conference (Gisec) next week.
The threat strikes home
The region has seen a spate of cyberattacks of late, notably the attack on Saudi Aramco in 2012, hacking of Dubai Police’s Twitter account in 2014, and attacks on the Abu Dhabi TV and Al Ittihad websites earlier this year.
There were also reports of numerous attempts on UAE government websites, which were neutralised by the UAE Computer Emergency Response Team, a cybersecurity coordination centre affiliated to the Telecommunications Regulatory Authority.
Regional organisations also face cyberespionage risks from actors working for or in concert with governments, says Ayed Alqartah, Senior Systems Engineer at FireEye, a US network security company. “[Governments] almost certainly employ cyberespionage to monitor their economic, political and military interests, which will likely drive the further development of local cyberespionage efforts.”
According to PwC’s Global Crime Survey 2014, 45 per cent of financial firms had been hit by cyberattacks, compared to 17 per cent of other types of firms and institutions. Cybercrime was the second-most common economic crime in the UAE, with 41 per cent of 5,000 respondents reporting their companies had suffered some form of it.
Kaspersky Labs, the Russian antivirus giant, published a report in February about Desert Falcons, which it calls the Middle East’s first advanced persistent threat group. The Falcons started operations in 2011, with the first signs of infections appearing in 2013 and their activity peaking last December. One million files were stolen from local hard drives from over 3,000 victims in 50-plus countries, with the most infections reported in Palestine, Egypt, Israel and Jordan. The UAE, Saudi Arabia and Qatar were also hit.
Symantec, developer of Norton Antivirus, released its Internet Security Threat report last week. It says the UAE’s world ranking for vulnerability to internet security threats improved from 47 in 2013 to 49 last year, while remaining seventh in the Middle East and Africa.
The top industries that received spear phishing emails in the country were finance, insurance and real estate (40 per cent of all incoming emails were targeted attacks), while the smallest organisations — sized 1-250 employees — experienced the highest volume of attacks, at almost 89 per cent.
“With the use of social media gaining momentum in the Middle East, Symantec’s research found the UAE had a global rank of 21 for social media scams and 36 for ransomware threats in 2014,” says Hassam Sidani, Regional Manager for Gulf, Symantec. “Social media scams can provide cybercriminals with quick cash, while ransomware relies on more lucrative and aggressive attack methodology.”
It’s complicated
“The threats are complicated and security is complicated,” Bruce Schneier, Fellow, Berkman Center for Internet and Society at Harvard Law School, and the key speaker at Gisec, tells GN Focus by email. A security technologist whose blog, Schneier on Security, has more than 250,000 subscribers, he says protection against hackers is a combination of prevention, detection and response. “We need to be resilient in the face of this complex threat landscape.”
However, if the likes of Sony and Apple are vulnerable to hacker attacks, what hope can a smaller company have for protecting itself? “With enough skill, motivation and funding [for hackers], any company in the world can be a victim like Sony,” Schneier says. “They needed a more sophisticated response mechanism.
“We need better protection, both at the individual corporate level as well as societal government level, but we also need better detection and response.
“As individuals, we need to agitate for political change. Much of this loss of privacy on the corporate side is due to lax laws protecting our data.”
Chester Wisniewski, Senior Security Consultant at Sophos, which develops security software and hardware, says cybercrime is all about the money. “It motivates most cybercrooks, from hackers penetrating company networks looking for information to sell or exploit [to] the operators of online underground marketplaces [and] DDoSers hired to take out a rival [company’s] web infrastructure.”
“I never talk about worst-case scenarios,” Schneier adds. “They may make good movie plots, but they make [for] bad policy and bad law.”
