On the heels of the Canadian Association of Chiefs of Police conference in Ottawa, where we had a booth, we had planned on doing a write up on the event.
But then this happened…
So rather than providing you a summary of links, we thought it interesting to focus on this one story and see if we can relate it to Canada. To save you reading the whole article, basically a 15 year old executed a DDoS attack on an E-Crime website (and others) in Australia. Not to belittle the IT chops of young people but this illustrates just how easy it is to execute DDoS attacks today. We have written about it before, but with little more than a credit card and easy-to-download stressor tools an attack can be launched.
First, he brought down a bank in a customer-impacting attack. Seeming to get away with it he later decided to hit his school IT systems and the school's ISP because he was bored. Again he seemed to get away with it and, now doubly emboldened, he decided to target the ACORN website, which is used by Australian police forces and other agencies to help fight cybercrime.
Now I don't know about you, but at some point in a crime spree you would think that you have probably taken it far enough. But in this case the teen was a true nuisance hacker doing it for fun and not profit. Targeting the police seems to have put an end to his activities – especially since he wasn't a particularly good hacker and did little to hide his IP address.
Let's be honest, if you have a teenager then you know they can do some pretty stupid things. It is really easy to do some petty vandalism to a school or perhaps get caught underage drinking. What most parents don't know how easy it is to go from online trolling in internet game rooms to becoming a full on cybercriminal. Since the path always feels virtual, a child may not really understand the impact of their actions. Then then question becomes, is this type of cybercrime more like vandalism, more like torrenting movies or more like armed robbery?
In this case, the good news for the family is that the authorities in Australia didn't treat the perpetrator like a hardened criminal. The punishment for the crime seems to recognize that this child was being just plain stupid and involves working with the family and focusing on rehabilitation. This is much less than the “up to 10 year imprisonment” an adult in the country would have faced.
But let's not belittle the issue either. Take the quote from the local magistrate Cathy Deland regarding the possible cost of his activities,
“I have no doubt it would have been in the millions of dollars.”
Nuisance hacking has the potential to have the same impact as true international cyber-crime. How does this fact impact Canadian police forces? It illustrates that they have IT risks ranging from DDoS attacks that originate off-shore, like the one that targeted the forces in Ontario and CSIS a couple years ago to local kids being a nuisance. Law enforcement needs tools to properly locate and properly enforce activity where a 15 year old can have an impact measured in the millions of dollars. But they also need prudent steps to mitigate risk. To be honest, we don't believe you can call it risk because it seems a certainty that everyone will be attacked at some point. So they need to mitigate certainty.
When the nefarious activity is aimed at law enforecement, they also need to be able to manage it because it can have serious impact on their services and their reputation. They are targets every bit as much as those organizations and citizens that their cyber-crime units are trying to help. Worse, because they deal in life-or-death situations they may also become targets for ransomware attacks as was the case of several police and emergency services in the US.
CIRA reviewed the websites of a couple dozen police forces in Canada and analyzed their DNS configuration to determine if the police sector was a potential sector for our DNS service (as a side note, only one out of sixty reviewed appeared to be following DNS best practices). Doing this analysis required us to review their websites to see what they were doing with them. As a general rule most forces in Canada aren't delivering complicated online services today, and are more about disseminating information. This doesn't mean that they don't have web applications sharing the same network resources as their website and does not mean that they don't face operational risks. For instance, at the very least they likely rely on email resolution for administration so if the domain fails then so too does email. The point is while their website is a potential target for a nuisance-type DDoS attack the direct impact on service delivery may not be that high today.
As online capabilities grow and the IT stack becomes more complicated, interdependencies between systems means that everything is a target. A hacker tool chest includes everything from DDoS to ransomware to data theft and many hackers employ multi vector attacks.
At the very highest ranks a significant amount of time and effort is being spent on the problem as it relates to off-shore attacks, as illustrated by CSIS and the RCMP collaborating to help protect our national infrastructure. But in the true spirit of “think global, act local” while the heavy hitters set up their task forces, local forces and the municipalities that support them need to take prudent steps to mitigate both professional and nuisance cyber-attacks as there are more of both happening every year.