In recent years news stories have highlighted the increasing rate of cybercriminal activity targeting both private organizations and government entities. Cases from mischievous amateur hackers managing to exploit basic vulnerabilities, to more advanced security breaches carried out by expert criminal hackers and cybercrime organizations overseas, have grabbed the attention of the media. The awareness of the seriousness of cybercrime has been raised among the general population and many individuals are becoming more concerned with the data housed about them online. Hackers who refer to themselves as ‘hacktivists’, are grouping together to break into systems for political reasons or other activist agendas. This category of hacker has become more common in recent years with more incidents reported in the media.
In May 2012, the Bureau of Justice was targeted by a group known as ‘AntiS3curityOPA’, an affiliate of the more well-known ‘Anonymous’. The group managed to infiltrate and steal sensitive data from the bureau’s systems. The data was then released as a 1.7Gb archive on the Piratebay torrent site, freely available for anyone to download. The reason the group gave for carrying out this attack was to “spread information, to allow the people to be heard, and to know the corruption in their government”. Schwartz (2012).
This article focuses on this recent attack on the Bureau of Justice Statistics provides an in depth analysis of what went wrong, why the organization was targeted, and what people might want access to the released data. Understanding the motivations behind why the hackers carried out this attack will be analyzes along with gaining a clearer picture of who they are. Finally, this article looks at how the bureau might discourage or defend against future threats.
The Bureau of Justice Statistics
The Bureau of Justice Statistics is a federal government agency, which falls under the United States Department of Justice. The Bureau of Justice Statistics was created in 1979 and its purpose is to collect, analyze and publish crime data. According to its website, its mission is “To collect, analyze, publish, and disseminate information on crime, criminal offenders, victims of crime, and the operation of justice systems at all levels of government.”
The Bureau of Justice also provides grants to criminal justice statistics programs for data collection and processing as well as statistical and methodological research. They provide support to state, local, and tribal governments through their National Criminal History Improvement Program (NCHIP), State Justice Statistics (SJS) Program for Statistical Analysis Centers, and the NICS Act Record Improvement Programs for States and State Court Systems (NARIP). The bureau’s dissemination programs are summarized in the table below.
National Criminal Justice Reference Service (NCJRS) | Provides justice statistical data and referrals to other sources of crime data. The website is available at: https://www.ncjrs.gov |
National Archive of Criminal Justice Data (NACJD) | Data that has been collected and archived is then documented and made available through the NACJD service. The website is available at: http://www.icpsr.umich.edu/NACJD/index.html |
Federal Justice Statistics Resource Center (FJSRC) | The FJSRC maintains the bureau’s Federal Justice Statistics Program database containing data on defendants and suspects in the federal courts. The website is available at: http://fjsrc.urban.org/ |
Infobase of State Activities and Research (ISAR) | This system is maintained by the Justice Research and Statistics Association (JRSA) and it houses information on research and publications. The website is available at: http://www.jrsainfo.org/database/index.html |
More information on each of these programs can be found on the Bureau of Justice Statistics website. The information they primarily deal with are publically available data sets, statistics and reports, freely available to anyone who access these program websites. Furthermore, the bureau provides in depth publications available for direct download from their website in various common formats including PDF, ASCII, and comma-delimited format (CSV).
Overview of the Security Breach
On May 22nd 2012, the hacker group known as ‘Anonymous’ released a video titled “Monday Mail Mayhem” claiming to have successfully breached the Bureau of Justice Statistic’s information systems. This same group, Anonymous, was also responsible other attacks, including the Department of Justice and the Federal Bureau of Investigation just two months earlier. Infosec Island (2012). The video they released contained a narrative in a computerized voice that stated, “Today we are releasing 1.7GB of data that used to belong to the United States Bureau of Justice, until now.” The message went on to reveal that internal emails as well as an entire database dump were made available. Anonymous (2012). The narrative went on to justify the actions of this hacker group by implying that their goal was to expose corruption within the federal government and claiming that the “truth will set us free in the end.”
The video (which can be seen on YouTube above) provided a dramatic set of visuals and sound effects designed to grab the viewer’s attention. After the statement had been made, other visuals including the text “police state”, “global politics”, and “big pharma”, scrolled by the screen in the form of a chain. This was then followed by the words “Together we Rise Up” next to “And Change Our World”. The video concluded with other threats and warnings appearing to instill fear or excitement depending on the context of the viewer.
The 1.7Gb archive named (1.7GB_leaked_from_the_Bureau_of_Justice) was uploaded to the Pirate Bay torrent sharing website by “AnonymousLeaks”. The reason for stealing and then making this archive available to the world was revealed in their video with the following statement, “We are releasing data to spread information, to allow the people to be heard, and to know the corruption in their government.” As mentioned earlier, the Bureau of Justice Statistics only publishes publicly available information on criminal offenders, victims of crime and the operation of justice systems within the United States at all levels of government. Therefore, it seemed odd that the hacker group was concerned with the information they could obtain from the bureau. Schwartz (2012) suggested that perhaps the connection was due to recently released information on hacker crimes and this was perhaps a way that Anonymous was able to get back at the organization.
Whether or not the true motive behind this attack driven by anger over the aforementioned published hacker crimes, it was clear that this was an embarrassing situation for the bureau. An organization called Identity Finder downloaded the torrent to analyze its contents, which appeared to contain 6.5 GB of web server data, reports and files. It did not however contain “any sensitive personal information, internal documents, or internal emails” according to Identity Finder in a statement. Rashid (2012) concluded that the claims put forward by Anonymous about a “booty you may find lots of shiny things such as internal emails, and the entire database dump”, were unsubstantiated. If this had been true, many people who could have potentially profited from such data may have been interested in this. As it turned out there was in fact a directory called “Mail”, however it was mainly empty and contained 3 email addresses that were unique, 2 of which were considered administrative.
Other data within the archive contained over three thousand files of criminal information in the form of spreadsheets and graphical charts, which wasn’t very surprising to see since this is the type of data the bureau typically disseminates and makes publicly available. The information from the archive would have been of little interest to groups of hackers interested in potentially selling or using this information for malicious causes. One area of concern noted by Identity Finder was that the entire server file structure as well as JavaScript files and error logs had been made available. This in itself could be useful to hackers to stage future attacks and to give a clearer overview of the bureau’s network topology. The fact that the bureau knew this information was now publicly available should have prompted them to internally secure their systems from potential future attacks. Rashid concluded that while this attack had not resulted in a major exposure of Personally Identifiable Information (PII), it was however a massive public relations mess for the agency and it had provided a means of promoting the hacking group Anonymous.
Anonymous and Hacktivism
Traditionally, hackers have remained in the dark carrying our covert operations in terms of breaking into systems for profit or personal gain. In recent years there have been a greater number of security breaches by groups who like to be labeled ‘Hacktivists’. The term ‘serious harm’ could be considered subjective depending on the context of the attack and the actors and victims involved. Anonymous, the group behind the Bureau of Justice Statistics can be argued to fall under the category of hacktivism. Anonymous began its roots in the form of 4chan, a website where users signed anonymously. It first made itself known to the general public in 2008 when it took issue with a request made by the church of Scientology to YouTube to remove a video starring Tom Cruise which had been leaked there. They began launching denial-of-service attacks against Scientology sites and breached several systems leaking sensitive information. Anonymous backed WikiLeaks by defacing the websites of Mastercard and Visa after they prevented WikiLeaks donators making payments by using their networks. Anonymous have also been known to wage a vendetta against law enforcement agencies, websites and databases by defacing sites and releasing PII on law enforcement personnel. Schwartz (2012). In more recent years the group has shown support for the Occupy Wallstreet movement and has even been involved with threatening the Mexican drug cartel.
The mask worn by Anonymous members originates from the movie V for Vendetta and features prominently in all Anonymous related media and online videos. So what is it that drives this group to do what they do? Anonymous claim that they do not represent or stand for any government or organizations, they make it clear that they support freedom of speech, people, and information. Prince (2012). The group has long established their disapproval of the so-called “police state” referring to the United States in that it incarcerates more people than any other country. Their qualms aren’t limited to the United States however, they are concerned with any organization, government or entity that imposes restriction in terms of freedom of information or injustices they feel strongly enough to get involved with. Several months ago, the group threatened to release names, addresses, social security numbers, and other private information of every football player from Stuebenville High School, where two players had been accused of raping a 16 year old girl. They released a video which stated that they were not going to ignore a group of men who turned “rape as a game or sport” get away with their crimes just because of their athletic ability. Caufield (2013).
Defense Strategy and Discouragement of Attacks
Anonymous certainly appear to be carrying out their activities for some kind of greater good. They believe their actions are justified in terms of the various systems they have broken, the information they have leaked, and the harm and cost they have caused government and private organizations and agencies. It is difficult to ascertain whether or not the Bureau of Justice Statistics would be able to do anything differently to discourage the actions of such a radical group, however simply having a better understanding on their background, motives and intent would be beneficial. Armed with this knowledge, it is important for organizations like the Bureau of Justice Statistics to be prepared against similar attacks in the future. There have been many times in the past that Anonymous have taken action that has provided more media coverage than harm, however at the same time there have also been very real breaches with high costs. This attack should not be taken lightly and other government agencies should learn from shortcomings in security strategies. Since the Bureau of Justice Statistics typically carries and provides publically available information, reports and number crunching, it probably did not deem itself a high probability target for so-called hacktivists, however recent events have proven otherwise. The public knowledge of such an attack has not only lead to ‘embarrassment’, but also brings into question the security practices of other government agencies.
Strategies should be implemented immediately to protect the bureau from the already leaked information on the server logs and network topology. While it is not clear where the vulnerability was in order for Anonymous to penetrate the bureau’s system, strategies should be in place to regularly review website traffic. While there was no evidence that the publically facing website was connected to internal sensitive documents, strategies should still be put in place to detect unauthorized access. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) should be used to detect and prevent unauthorized access. Other security practices should be implemented including proper separation of responsibilities, multi-layered security controls, and other means of network and physical security. On a larger picture, agencies from different parts of the federal government should coalesce in terms of security strategy, policies and overall strategy to ensure that adequate protection is given even to those web presences that only provide public information.
Conclusion
The Bureau of Justice Statistics was an unlikely target of the hacktivist group Anonymous. The entire event seemed to provide more media attention than actual harm and it proved to be an embarrassment for the agency. For the bureau, they didn’t suffer extreme losses, however this was a big win for Anonymous as it gave them extended media coverage along with key words such as the “Department of Justice” even though this agency was not hacked. It highlighted the importance of maintaining strong security practices, even for websites that are providing nothing more than publically available information.
Hacktivist groups have made headlines more frequently in recent years. Supporters of piracy and anti-copyright movements labeled under the category of ‘freedom of information’, have spurred interest on a global scale and continue to grow in number. It is important that government and private organizations continue to evaluate the risks these groups create and to better understand the motivations and culture behind their populations. This is particularly of importance within organizations that are perceived ‘enemies’ or ‘adversaries’ of such groups, which includes much of the federal government systems, law enforcement organizations, pro-copyright institutions and any other organization perceived to not fall in line with the hacktivists world view on justice. By better understanding these groups and the threats they bring, government agencies and private organizations will be better equipped to refine their security strategies enabling them to protect themselves from future incidents.
References:
- Anonymous Hackers Plan to Target OPD. (n.d.). Retrieved March 30, 2013, from http://www.wowt.com/news/headlines/Anonymous-Hackers-Plan-to-Target-OPD-200361161.html?ref=161
- ANONYMOUS – Monday Mail Mayhem. (2012). Retrieved from http://www.youtube.com/watch?v=2oEo3OC75yY&feature=youtube_gdata_player
- Bass, T. (2000). Intrusion detection systems and multisensory data fusion. ACM, 43(4):99{105, 2000. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.47.3851&rep=rep1&type=pdf.
- Caufield, P. (2013). Hacker Group Anonymous plans second ‘Occupy Steubenville’ rally on Saturday. Retrieved from: http://www.nydailynews.com/news/national/tk-article-1.1233022
- Chacos, B. (2012). Anonymous Hacks Department of Justice! But Does It Really Matter? Retrieved from: http://www.maximumpc.com/article/news/anonymous_hacks_department_justice_does_it_really_matter
- Check Point (2011). Check Point Products: IPS-1. Retrieved from: http://www.checkpoint.com/products/ips-1/index.html
- Denning, D. E. (2000). Proceedings at the Internet and international systems: information technology and American foreign policy decision making workshop, San Francisco, CA: Activism, hacktivism, and cyberterrorism: the Internet as a tool for influencing foreign policy. Retrieved from http://oldsite.nautilus.org/archives/info-policy/workshop/papers/denning.html
- Infosec Island (2012). Anonymous Claims Department of Justice Hack, Data Dump. Retrieved from: http://mark.dev.infosecisland.com/blogview/21395-Anonymous-Claims-Department-of-Justice-Hack-Data-Dump.html
- Prince, P. (2012). Anonymous Hacktivists Leak Bureau of Justice Statistics. Retrieved from: http://www.eweek.com/c/a/Security/Anonymous-Hacktivists-Leak-Bureau-of-Justice-Statistics-622457/
- Rashid, F., Y. (2012). Anonymous DOJ Breach More Embarrassing Than Harmful. (n.d.). PCMAG. Retrieved March 30, 2013, from http://securitywatch.pcmag.com/security/298272-anonymous-doj-breach-more-embarrassing-than-harmful
- Schwartz, M. (2012). Anonymous Leaks 1.7 GB Justice Department Database — InformationWeek. (n.d.). Informationweek. Retrieved from http://www.informationweek.com/news/security/attacks/240000778