Two years ago, a company called Medtronic unveiled a pacemaker that can be monitored via the tiny device’s wireless connection. The pacemaker can talk to a regular BlackBerry, and to the world beyond.
It’s 2012, and everything is data. Governments moving online deliver their most critical services as data. Businesses have turned their property into data, their processes into data, their money into data. Citizens have turned their social lives into data. Your location at this very moment is data: Your phone is tracking it, and your car is probably tracking it too. Anything you communicate to anyone who’s not in earshot is data.
And wherever there’s a flow of data, there’s someone who wants to bend it to suit their own ends. Cybersecurity is no longer just a game of cat-and-mouse played with recluses who, by the dim green light of their computer screens, try to infiltrate mainframes. It’s a wild, unpredictable space, where hardly a week passes without word of an attack on a newly targeted organization (Sony? NASA? The NDP?) for motives that are financial, political or just plain inscrutable. And, dear reader, you need to know the basics of this epidemic; we can’t just rely on IT to take care of it. So here’s a primer, in 26 steps, on some of the big questions facing the world of cybersecurity—and what you can do to keep from becoming a casualty.
A is for Anonymous The only thing that Anonymous generates more than headlines is confusion about what it is. Anonymous has shut down the Vatican’s website, taunted cabinet ministers, released hacked e-mails and inserted itself into national debates. But is it an agitprop activist group? A genuine security threat? An occasional cover for government meddling? Or just an anarchic idea gone viral?
Here’s what we do know: Anonymous isn’t a centralized organization, but a nebulous collection of cells and splinter groups that co-ordinate their efforts, to varying degrees, in online chat rooms. The first rule of Anonymous is (surprise) anonymity—a rejection of personal fame. After that, things get fuzzy. “Beyond a foundational commitment to anonymity and the free flow of information, Anonymous has no consistent philosophy or political program,” writes Gabriella Coleman, a McGill professor who’s spent years studying Anonymous.
If anything can be said definitively, it’s that Anonymous embodies a culture of creative disturbance—the pursuit of chaos, justice, retribution, and having laughs—or “lulz,” after the “laughing out loud” acronym “LOL.”
In fact, Anonymous has more in common with the Dadaists than it does with run-of-the-mill cybercriminals. Its roots are in online pranksterism: The group sprang from a message board called 4chan—the same anarchic forum that produced harmless Internet memes like Rick rolling and LOLCATS.
But a faction from the board started using more aggressive means to stir up trouble, like baiting and harassing obnoxious YouTube users. The turning point came in 2008, when Anonymous targeted the Church of Scientology. The church’s secretive, controlling nature clashed with the collective’s libertine streak, even before the church threatened websites in an attempt to suppress the dissemination of a goofy leaked video of Tom Cruise. Lulz ahoy! The church found its servers under attack, its offices surrounded by masked protesters, and a great many unordered pizzas showing up at its doorstep. The pranksters had found a political voice.
Since then, Anonymous has become the poster child for “hacktivism”—cybercrime that’s committed on principle, rather than for financial gains or to pursue national ends. (However, since anyone can take up the Anonymous mantle, there’s speculation in the security community that government actors could be using the group for cover.) After Anonymous mocked Vic Toews, the hapless Canadian minister wanted Parliament to act. Many Canadians already knew better: You can’t punish a culture.
B is for Botnet What does a virus actually do when it infects your computer? There are plenty of options, all of them unpleasant, but a common one is to recruit your machine into a virtual army. The machine will fall under the control of a lurking third party but might not show any outward sign of infection.
Botnets can reach into hundreds of thousands or even millions of infected computers. Size is their weapon. They can launch Distributed Denial of Service attacks (see “D” below), in which an army of commandeered computers bombards a website with requests until it collapses.