In today's internet war, no one is safe
Looking at news media, one cannot avoid the feeling that there is a real war going on the internet, with several active forces: armies, of course, but also raiders looking for easy money, wannabe pirates, professional and well determined attackers as well as absolute beginners without a clue. All provided with very effective weapons, compared to defences not always up to the menace.
Defence weaknesses, besides obvious carelessness, are often due to tackling the defence issue from the defender’s view of the value it attributes to its own assets instead of the value the attacker seeks. Unfortunately the attacker’s motivations are not always what we think they are. Banks and e-commerce sites are concerned, rightly so, about the people wanting to steal money, financial data, credit card numbers - and they usually are pretty good at setting up countermeasures.
Successful attacks against these kinds of targets often hits the news, but a huge number of intrusions are far less known, have less obvious motivations and a far larger number of interesting targets. What are some of the reasons why sites seemingly unattractive or less valuable can be desirable targets, prone to becoming “collateral damages” of activities with other aims? A quite common situation is a server hijacked only to be used as a platform to launch attacks to other more valuable targets. In this case the attacker has no reason to damage the server and tries to go unnoticed as much as possible. Suddenly the victim (say, a blogger or the administrator of a harmless site) find himself/herself involved in a botnet used for DDoS attacks against big sites.
The available opportunities once a server is hijacked are limited only by the fantasy of the attacker, a nearly endless resource. Spam, fake social networks contents creation, phishing, fake ads, you name it. Also server resources like CPU, storage and bandwidth are something worth an attack: bitcoin mining, space to store every kind of contents to be shared and so on. To this description we have to add that a large part of attacks are made by automatic tools (bots, worms, malware, etc.), without any specific motivation against a specific site; they simply combs the network and infects any vulnerable server that they find.
The consequences, for the owner of the compromised server, can be serious; loss or leak of sensitive data, downtime, public image damage, involvement in malicious activities, and all of this without even owning a valuable and attractive site! The bottom line is that to measure how much a server or a site can be interesting and the effectiveness of the countermeasures we should not focus only on what we think the value is, but mainly on what the attacker thinks to be valuable. Obvious as may it seems, we must add that is extremely difficult to discern what an attacker values most. The only reasonable approach is then to adopt all possible countermeasures, within reasonable limits, and anticipate all possible damages. This may seem unfair, and it is: hence the reason why I use the term “collateral damages”.
FABIO COATTI, ICT Legal Consulting
