Category Archives: Information Security

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.

Laughing all the way to the bank: Why banks need to rethink their approach to social media

by Angus Batey

Every day, I check my bank accounts online. Every time I check, my bank is encouraging me to send it Tweets. So every day I find myself wondering whether I am the only one of their customers to find this bordering on insane.

The social-media revolution has changed the way all companies do business and interact with their customers, and it would be naive to imagine that banking hadn’t been as affected as everybody else. Facebook, Twitter, Google Plus and the rest are powerful tools, enabling individuals and corporations to strengthen relationships through easy interaction – and best of all, the costs are met by somebody else. What’s not to like?

Just about the only other thing I can guarantee on happening every day is that I’ll receive an email telling me that my bank account has developed some problem or other, but that help is at hand, if I’d just click on the link and resubmit my details. I’ve been getting them for the thick end of 20 years and they’ve not evolved greatly in their wit or sophistication. We all know the more obvious telltale giveaways, from the hilariously inept salutations (“Dear esteemed beneficiary…”) to the clumsily hidden address they really come from. Yet these scams still manage to fool some users – according to a 2010 report by Cyveillance [PDF], a spammer can expect to get about 250 people to hand over their data for every half-million phishing emails sent. This is a tiny fraction, but a significant number.

Usually, the first thing that lets you know a purported banking email is a fraud is that it claims it comes from a bank you’ve never had an account with. But what if the scammers knew who you banked with, and took a little more care to make their emails plausible? Wouldn’t that low rate of success quickly start to climb?

Every major High Street bank has a range of official Twitter accounts it uses to communicate with the outside world – often little more than a stream of links to corporate press releases or items of perceived interest to customers. But even if that’s all a bank uses Twitter for, its accounts represent an incredible intelligence-gathering opportunity for anyone willing to spend a couple of hours to better target phishing attacks.

Unless you’re an avid student of the banking industry you’re unlikely to subscribe to a bank’s social-media feed if you don’t hold an account with them – and on Twitter, where you don’t even need to be a registered site user to view details of who is following a particular account, the High Street banks’ feeds are a potential scammer’s goldmine. True, a list of followers will only give you a list of Twitter account names: but, obligingly, a significant number of Twitter users include their real names on their publicly accessible profile pages, sometimes with a link to a personal website which will contain contact information: some users even include email addresses and phone numbers on those public pages.

Worse – from a security perspective – most banks also operate helpline-style Twitter accounts, where users publicly out themselves as customers, often of products including mortgage, insurance and share-dealing services as well as just ordinary current accounts: and while conversations requiring detailed information are conducted via email or private Twitter direct messages, initial queries are asked and answered in full public view.

In the real world, someone wishing to target you for banking fraud would either have had to have sold you something and have you give them a cheque to know where you banked, or followed you up and down the High Street on the off-chance you might visit your local branch. Following your bank on Twitter is like walking up and down that High Street wearing a t-shirt emblazoned with the name of the bank; Tweeting a question to your bank, from a Twitter account that includes your email address, is like walking around in that t-shirt, and with a flashing neon sign fixed to your head saying “Please rob me”.

The criminals clearly prefer to spend their time counting the loot, not finding more effective ways to raise it – and for that we should be thankful. Because, in their enthusiasm to embrace the new opportunities for customer engagement that social media provide, our banks are giving criminals an unprecedented opportunity to improve their phishing success rate. Clearly the banks’ market research has told them that no new method of customer interaction should be shunned: and to the average internet user, who thinks anything free and convenient is to be applauded, a bank refusing to embrace social media will look out of touch. But by encouraging customers to publicly reveal information about the products and services they use, banks are playing a dangerous game – undermining security to promote customer dialogue seems a curious business decision for an industry that relies, more than most, on protecting its clients’
data.

* Angus Batey is a freelance journalist who has covered cyber defence and data security for titles including the Sunday Telegraph and Digital Battlespace. He doesn’t follow his bank on Twitter.

The kind of “how to” guide to security that SMBs will benefit from

The Data Protection Act came into force in 1998 and exists as the core piece of legislation that seeks to ensure that personal data is protected in the UK. Principle 7 of the act states what is required by those in possession of sensitive data in relation to security.

Principle 7 is comprehensive – but by no means all-inclusive (risk management will be bespoke after all) – and is well captured by the following demand: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

In short, it states that businesses have to make all efforts to ensure security is vigorously implemented, otherwise, along with loss of data, breach of network security, loss of reputation and financial damage, they can get a hefty fine. £50,000 is significant and detrimental to small to medium-sized businesses (SMBs).

Conscious of this and the changing shape of the business landscape – the permeation of the internet into all facets of an organisation’s operations – the Information Commissioner’s Office (ICO), which oversees the Data Protection Act, has released a new guide to help SMBs out.

Entitled A Practical Guide to Information Security: Ideal for the Small Business, the ICO’s document is not bad at all. It’s not massively detailed – 12 pages – but that’s the point. It serves as an introduction, putting forward recommendations that are relatively easy to implement and not too costly.

The language is clean, perhaps directed at those who lack any discernable strategy for information security & risk management. For example, the following passage outlines the first step businesses can take:

“Before you can establish what level of security is right for your business you will need to review the personal data you hold and assess the risks to that data. You should consider all processes involved as you collect, store, use and dispose of personal data. Consider how valuable, sensitive or confidential the information is and what damage or distress could be caused to individuals if there was a security breach.”

While that may sound obvious, break it down and it’s informative. Like for example the line about the processes that are involved in collecting, storing and using data. Is this done automatically without any clear-cut policy or is it more regimented and authoritative? Knowing this can be exceptionally beneficial to SMBs.

Another great recommendation, which to most security consultants is standard practice, is using a layered approach to network security, something non-savvy SMBs might not consider, thinking that a single approach is enough.

But, as the ICO notes, there is no single approach that can ensure 100 per cent security. A combination of tools and techniques makes sense because if one “layer” crumbles, there’s another barrier in place to prevent an attack being successful.

Throughout the document, points like this are aired, and it is extremely refreshing to come across something that simplifies, explains and articulates the importance of information security in today’s age of information. Well done ICO.

The slow rise in POS terminal attacks

Late last year there was conversation about the increasing frequency of point of sale (POS) terminal fraud, especially in the US. An extremely high-profile case that was discussed by security professionals with cyber security jobs and no doubt those on the hunt for IT security contract jobs concerned four Romanian nationals and a multimillion dollar scheme to commit POS fraud, which would have resulted in hundreds of merchants being swindled as well as compromising 80,000 US citizens.

They were attempting to do this remotely by hacking into POS systems and stealing data and payment from credit cards, debit cards and prepaid cards, but were, luckily, nabbed by the authorities. They face five years in prison if convicted.

“The hackers allegedly scanned the internet to identify vulnerable POS systems with certain remote desktop software applications installed on them, and then used the applications to log into the targeted POS system, either by guessing the passwords or using password-cracking software programs,” Wired.com reported at the time.

It’s a serious threat, which the security industry most certainly has on its radar. Roll on the start of this month and the dialogue about POS attacks is still as topical as ever.

Speaking to SC Magazine, Bill Farmer, chief executive officer of Mako Networks, turned the discussion to “rogue terminals”, which exist outside of the central network, and are used as a mechanism to “harvest data” out of a business and into the hands of cyber criminals. What’s interesting is that adept criminals operate in a very surreptitious way.

“The cyber criminal will modify the device to steal the information and transmit it out to be stored,” he said. “It is not easily detectable as the compromised modules are transmitting data out for months at a time and are often in high-traffic places.”

They then collect this data, keep onto it for months, then use it for small transactions a few months later and then at cash machines where lots of cash is extracted, Mr Farmer added.

What then can be done to eliminate this threat? Simple security measures can be effective – all of which deny cyber criminals easy access into a system. You wouldn’t leave your back door open at home or in your office would you? Apply the same concept to POS terminals.

One of the recurring themes is for organisations not to “affiliate” the name of the business with a Wi-Fi network. This is like handing swindlers the golden key.

Another strategy includes making sure that payment systems conform to the Payment Council Industry (PCI) Data Security Standard. The PCI Security Standards Council is a most useful asset given that it is responsible for the development, management, education and awareness of industry standards.

Carry out penetration tests as a form of risk assessment to identify weaknesses in the system. Especially vulnerable organisations are those that have POS terminals in a variety of locations and with a sizeable workforce who may, on occasion, leave terminals unattended.

Finally, keep one step ahead of the game, be leaders and innovate. Technology in the digital age doesn’t stop for anyone and neither should you. Invest in new equipment, get regular software updates. Change is good and it puts cyber criminals on the back foot. We’ve got competition, they lament. Indeed they have.

The problem with everyone knowing who you are

The more successful you are, the wider your reach, and, sadly, the more likely it is that the number of critics and opponents you have is going to significantly multiply. You can’t please everyone.

This is the fate of governments, of big corporations, of uber-rich sports stars and people in the public sphere. They have to contend with the tough duality of being extremely popular and visible, while also being the object of loathing.

Why? Well, haters, they are most certainly going to hate. It then comes as no surprise that the number of large organisations have been hacked into. In the last year alone, one in seven organisations of this stature has had its security breached. On average, a large organisation faces a noteworthy attack every week, whereas a small business is liable to being hit at least once a month.

You see, it’s a basic science – if no-one knows your business, if your scope is limited, your audience even smaller, you simply ‘lose yourself’ amidst the crowd. It’s not that you’re insignificant, far from it. It’s just that everything you do is on a miniature level. Thus, it’s fair to say that if and when you break into the public consciousness and widen the net, with the good times will come challenges. You’re the ‘apple of my eye’ to some and the ‘ants at a picnic’ for others.

The findings of the 2012 Information Security Breaches Survey from PricewaterhouseCoopers (PwC), the global professional services firm, confirm that a new age is upon us: “the number of large organisations being hacked into is at a record high”. The cost of this to companies in the UK now runs into the billions.

In spite of this, many organisations are still not treating this, it seems, as seriously as they should. The poll above found that 20 per cent of organisations spend less than 20 per cent of their IT budget on information security, with 12 per cent of the opinion that senior management give it a low priority.

As professionals in our industry appreciate, this has obvious consequences, something which the researchers of this study reported. Businesses that have experienced very serious incidents of hacking spend, on average, 6.5 per cent of their IT budget on security.

“The key challenge is to evaluate and communicate the business benefits from investing in security controls,” observed Chris Potter, PwC information security partner.

“Otherwise, organisations end up paying more overall. Given that most organisations take a lot of action after a breach to tighten up their security, scrimping and saving on security creates a false economy. The cost of dealing with breaches and the kneejerk responses afterwards usually outweigh the cost of prevention.”

He did accept, rather perceptively, that with security, it is difficult to measure the benefits of any system because it is doing its job and keeping threats at bay, no-one notices. It suggests, therefore, that come a board meeting, when the powers that be are discussing a return on investment, it might be difficult to measure the value of the financial investment that has gone into security measures.

But, if anything, the threat is very real and indeed, cyber crime, as Mr Potter has noted in the survey, is a rising risk to business. This is the status quo. It’s better to be proactive than reflexive, the latter a response when an attack has been achieved. These haters, they’re gonna keep on hating, c’est la vie. Rain on their parade and beef up your security.

History today – BYOD and the need for a smartphone policy

We all live through history. Seminal events, big changes in life, landmark breakthroughs and the like, however noteworthy, come to have a greater significance in the future, seen from afar, analysed, placed in a wider context. Like when the internet came – some of us remember hearing about it at school, a teacher remarking you could use it a lunchtime, but that was time for gossiping, kicking a football about. We didn’t know how important it was. It was just something new.

Needless to say, the internet has, in its relatively short history, come to transform life on earth radically. We look back at the day of dial-up and bland, static pages of content, and we see primitive beings working out how to exist within the confines of this new medium and it’s rather sweet, like children’s scribbles. And then one day, that scribble begins to take shape and an artist is born, shifting paintings worth millions of pounds. Back then it was just another picture, who would have known how important the work was?  History allows us to assess it.

What will they say of BYOD (bring your own device) in five or ten years time? Was it a fad, a stroke of genius or an inevitable consequence of the mass proliferation of powerful portable and handheld devices, the stuff of which was unimaginable a decade ago? It’s hard to say, this history is for those writing in the future. To us, whether it’s someone working in an information security or risk management setting, BYOD is just something that happened, like flexible working. It wasn’t a black and white thing where one day it wasn’t there and bam, the next day it was… it evolved.

Whatever your sentiments, it is definitely part of the discourse. And so, we stick to the present with this blog. BYOD is very open, complex and multifarious nature, meaning it is predisposed to any number of security issues. Smartphones in particular, because of the sheer volume of data, traffic and work conducted on them, are increasingly becoming part of the regular apparatus at work, yet policies governing their use are lax.

According to Darrin Reynolds, vice president of information security at Agency Services in New York, one of the key things is to have a policy in place and for it to be communicated in as simple a manner as possible, or as he puts it, for it to be written in “crayon”.

In an interview with SearchSecurity.com, he explained the canons that govern his organisation when it comes to BYOD and mobile phones.

“The rules are you can use any device you want, but if it is going to support or receive corporate data then you have to play by our rules,” he elucidates. “Our rules are: you have to have a [personal identification number] PIN; it has to support a code lock; it has to have an auto lockout feature; it has to support encryption; and it has to support remote wipe. We kept it really simple to those four things.”

And that’s it, he says, no additional security measures. He may well be correct in surmising that those four methods of security – which are top notch by the way – are enough to keep fraudsters and cyber criminals at bay, but, if history tells us anything, it’s that nothing stays static for long. In technology, what is new, what is current is immediately yesterday’s news. More measures will have to be developed either proactively or reactively when the time comes. History repeats itself, albeit it differently.

The big snooping debate

After announcing that it is considering introducing a new bill that will give the GCHQ unprecedented powers to monitor people’s emails, texts, social media content, phone calls and web browsing history – in real time – the government has had to defend itself from a barrage of condemnation.

Critics of the proposed legislation, which may be included in the Queen’s speech in May, have dubbed it a “snooping bill”, claiming that it is a clandestine way of monitoring the activities of everyday people.

The government, however, has assured the public that there is nothing sinister about the bill, no echoes of an Orwellian future, there will be no centralised database storing people’s information, and all information will remain “invisible”.

“Let’s be clear, this is not about extending the reach of the state into people’s data, it’s about trying to keep up with modern technology,” explained prime minister David Cameron, attempting to assuage opponents.

“We should remember that this sort of data, used at the moment, through the proper processes, is absolutely vital in stopping serious crime and some of the most serious terrorist incidents that could kill people in our country, so it’s essential we get this right.”

Advocates of the bill have asserted that this is its focus – to protect people and curb crime whether it’s tackling cyber criminals or terrorists. Akin to a software update, the new legislation is designed to respond to the significant changes that have taken place by virtue of the digital revolution, which has, in no short way, radically transformed most aspects of society. As Mr Cameron noted, a warrant will be needed to access the private information.

Others, however, are less sanguine. Nick Pickles, director of the Big Brother Watch campaign, sees it as leading to a reality that is comparable to the kind of surveillance that is prevalent in Iran and China, two countries known for having, for example, limited press freedoms.

“This is an absolute attack on privacy online and it is far from clear this will actually improve public safety, while adding significant costs to internet businesses,” he stated. “If this was such a serious security issue why has the Home Office not ensured these powers were in place before the Olympics?”

Although details of the proposed bill have yet to be finalised, it is believed that one of the most significant aspects will be for internet service providers and mobile phone companies to keep hold of all data travelling through their respective spheres.

At present, such information is accessible by intelligence agencies, the police and other public bodies, without any external organisations signing off. If the law is to go ahead, there is a desire to see an impartial body set up to monitor requests to ensure that freedoms are being protected and not abused.

“Whoever is in government, the grand snooping ambitions of security agencies don’t change,” Isabella Sankey, director of policy at Liberty, was quoted by the government as saying.

“The coalition agreement explicitly promised to ‘end unnecessary data retention’ and restore our civil liberties. At the very least we need less secret briefing and more public consultation if this promise is to be abandoned.”

Managing social media

You’d have thought social media was a simple thing: the two-way conversation where everyone’s connected, everyone’s linked, everyone’s liking, and everyone’s following. It’s a global world of connectivity, nonstop chitchat, an open existence where we learn, share and grow. At a basic level, yes, that’s social media defined perfectly, but as with any explanation of this kind, it merely touches the surface. Social media is much more than sum of its parts.

At first, many organisations were reluctant to be taken in by it all. They thought it was a fad, so to speak, extremely popular but transient. It’s time would pass. Everyone that took a sly little pop at it soon realised they had jumped the gun in their estimations. Everyone is now on Facebook, Twitter, LinkedIn, Tumblr and Pinterest to name the obvious few.

Initially, most organisations didn’t know what to do. They were connected, but didn’t fully understand how to “talk”, to disseminate and to engage. But, with the passage of time, they refined their approach, savvied up on the particulars and, with the help of experts, cracked it. They’ve even took the time out to develop authoritative social media policies (See the BBC’s English Region’s Social Media Strategy as one example).

However, this doesn’t imply that we’ve reached a level playing field. As we mentioned above, social media is a complex creature and a burgeoning one too. At RANT last night in London, Jitender Arora, chief information security officer (CISO) at GE Capital UK,  discussed whether such policies are suitable. His assertion is that “pragmatic” social media governance is more effective.

He makes a shrewd point. Businesses and indeed CISOs can’t cover every eventuality in a static document that sets the terms and conditions in stone. You simply can’t look over every eventuality across a number of different platforms, which although all connected in that they are social, are distinct in their makeup. Moreover, asks Mr Arora: “Are social media policies really effective in changing user behaviour?”

The obvious challenge is how one ensures that a business keeps its brand integrity intact when it publishes and engages on a macro level – a ubiquitous presence online, by virtue alone, opens them up to blunders. And these are the ones that can’t be quickly remedied for hope no one noticed. Your audience, online, is connected. They saw.

One of the more serious challenges is naturally concerned with data protection. Cyber criminals, as we know, possess many means to hack into websites and security systems, big and small. The consequences of having a social network hacked are not to be underplayed as a paper two years ago postulated. Produced by the Information Systems Audit and Control Association, the study stated that the biggest threats to organisations through this conduit are viruses, brand hijacking and loss of corporate content.

Which, funnily enough, brings us back to the central question: which is best, a pragmatic or following policy? Honestly, a bit of both perhaps. The UK has an “unwritten” constitution and it works; has done for many centuries. It responds and it grows. In the US they have a static constitution, which is superbly eloquent. It has been amended 27 times. Things change.

The next RANT forum takes place Near Earls court in London on Wednesday 25th April 2012. For more information, visit our website.

Some things can’t be swept under the carpet and forgotten

“Why can’t we just ignore PCI DSS and get on with life?”

Now if that didn’t get you jumping off your seat with a certain “Hang on, what was that?” spot of confusion, then we admire your restraint. It certainly got us animated, curious and chatting away.

Why so? Well, this is the question that passes through the mind of many people, something that Jeremy King, European director for the PCI Security Standard Council, knows all too well.

Speaking soon at the next Manchester RANT forum, and having already presented this at the London RANT, Mr King discusses that while many people may indeed have this opinion of PCI DSS (Payment Card Industry Data Security Standard), the alternative – which he equates to burying one’s head in the sand – would be somewhat regressive.

PCI DSS is, after all, designed to be a full-bodied, comprehensive security standard applicable for ubiquitous use, geared towards service providers and organisations that handle cardholder information. Its aim is for safety and preservation of the integrity of information at every step, for all sorts of cards including debit, credit, prepaid and POS.

As the PCI Security Standard Council states on its website, PCI DSS provides a robust security process that includes prevention, detection and appropriate reaction to most security incidents. The most visible security measure is in thwarting criminals from accessing card payment details for fraudulent purposes. It is effective, yes, but critics go further and say that the weaknesses inherent in the system are serious.

Robert Havelt, director of penetration testing at Trustwave’s SpiderLabs, states that PCI-compliant networks are open to exploitation because refined malware, custom-made, allows criminals to bypass certain barriers, opening the back door, and allowing them to navigate through other channels to the jackpot: the store of sensitive data. This, he argues, downplays the effectiveness of segregating payment card data. It can be accessed.

It’s a topic that gets people heated up. It’s interesting, it’s relevant and it affects everyone involved. The idea behind PCI DSS is to be applauded and it is an effective measure against security breaches. However, it can be improved. Listen to what Mr King has to say at the end of the month and offer your thoughts.

The RANT forum takes place in London on the last Wednesday of each month.

The meaning of the LulzSec arrests

It’s a name that immediately gets everyone involved in information security.

LulzSec.

It was (or is, depending on a certain point of view) a well-known band of intercontinental hackers that prided themselves on carrying out cyber attacks on some very high-profile organisations and systems. Some of its alleged ‘hits’ have included tapping into the US Senate’s official website, causing ‘technical disruption’ to the CIA’s website, infiltrating a database that listed the locations of cash machines in the UK, and launching a denial of service attack against the UK’s Serious Organised Crime Agency.

It’s quite a list, to say the least. As such, it’s no surprise that since the arrest of Hector Xavier Monsegur – aka Sabu, the so-called leader of this gang of cyber criminals – last summer, security officials have been working double time to reign in the rest of LulzSec’s members. And it was recently revealed that a coordinated international effort has resulted in the arrest of some of its purportedly senior members in the US, the UK and the Republic of Ireland.

Speaking to Fox News, one unnamed hacker told the reporter that his peers were shocked about these recent developments.

“People are freaking out. Everyone’s totally freaking out,” the hacker said. “Everyone’s in shock. Bill Gates, Steve Jobs, Sabu – I mean of our generation, he’s going to be remembered in history.”

Since these arrests came to light, it has also been made known that Mr Monsegur has not only pleaded guilty to a string of offences relating to cyber crimes, but turned informant, working with the FBI to help it paint a clearer picture of what subterfuge activities they have been involved in, who its members are and the kinds of strategies they’ve used to cause havoc and inconvenience business.

While this activity is welcome news, after all, they have reportedly caused billions of dollars worth of damage to corporations and governments, one expert has highlighted that the group was an offshoot of a much bigger movement known as Anonymous. The implication being that a significant battle has been won, but the war is still raging.

Anonymous is basically a worldwide group of hacktivists, its numbers unknown, who pool resources to launch various attacks that are ‘ethical’. Cnet’s Elinor Mills commented that while this crackdown will have an immediate impact, it will hardly diminish the resolve of those in Anonymous in continuing with their politically-motivated attacks.

Speaking to Cnet, one member said that arrests were commonplace, and, consequently, this latest clean-up of criminals will not be that detrimental. They’re not the ‘kingpins’, the hacker said. As it noted on its Twitter feed, in typical hyperbolic style: “We are Legion. We do not have a leader nor will we ever. LulzSec was a group, but Anonymous is a movement. Groups come and go, ideas remain.”

It’s a riveting story that reveals the complexity and challenge of combating online criminal activity that has no real tangible base. The democratic power of the internet, its open composition and its philosophy of freedom, is conversely one of its downsides. We haven’t yet figured out how to preserve all that while enforcing regulation and policing those who abuse these freedoms. However, as with anything in life, so long as the security officials work together, patrol the ‘digital streets’, across borders, small bites into the larger machine can erode the size and scope until its impact is infinitesimal.