Experts: Small targets no match for savvy hackers
LITTLE ROCK, Ark. — An online attack against dozens of rural American law enforcement agencies in which emails, credit card numbers and crime tips were stolen and posted on the Internet has left some officials wondering how they can ward off future hacking attempts, if at all.
The attack by the hackers’ collective Anonymous on agencies in five states — Arkansas, Kansas, Louisiana, Missouri and Mississippi — was likely so broad in scope because many sites were hosted by the same company, Brooks-Jeffrey Marketing, of Mountain Home, Ark.
But the theft exposed a “dirty little secret” about hacking — the best hackers can beat the tools meant to stop them and many potential victims don’t know it, said Anup Ghosh, the co-founder and CEO of the software security company Invincea.
Most of the technology meant to prevent hacking was developed in the mid- to late-1990s, yet hackers have continued to develop their trade, Ghosh said.
“The guys writing the attack codes have evolved their technologies considerably,” he said.
What has changed is that “hacktivists” such as Anonymous want the world to know about their crimes, breaches that were once kept quiet or that went unnoticed by hacking targets are now being trumpeted.
After posting the stolen law enforcement data online on Saturday, Anonymous members taunted local sheriffs on Twitter and the group’s website, saying they wanted to embarrass and discredit law enforcement after a series of arrests targeting alleged members of the group.
Much of the pilfered information appeared to be benign, but some emails contained crime tips, profiles of gang members and other sensitive information.
The attacked websites appeared to be back up Monday, and the stolen information remained online elsewhere.
Kevin Mitnick, a Las Vegas security consultant and a former hacker, said simple security audits, in which someone like him tries to hack into a site, can show a website’s vulnerabilities.
But Heather Egan Sussman, an attorney in Boston who specializes in information privacy, said she wondered if cash-strapped government agencies can afford the privacy measures they need.
“I think what we’re seeing are state and local agencies that are underfunded, overworked, overstressed,” she said. “And yet they are housing some of the most sensitive data about citizens and residents.”