The hacker group Anonymous recently announced through a YouTube video that it plans to “kill” Facebook on Nov. 5 for supposedly abusing the privacy of its users. We asked Engin Kirda, the Sy and Laurie Sternberg Interdisciplinary Endowed Professor for Information Assurance — with joint appointments in Northeastern’s College of Computer and Information Science and Department of Electrical and Computer Engineering — to discuss the potential implications of the hack and provide some insight into the motives behind hacking groups such as Anonymous.
How would the infamous hacking group Anonymous go about carrying out its threat to “kill” Facebook? What effect would a successful attack have on Facebook users?
I see two options here: The first option is that the group has discovered an unknown vulnerability on Facebook, and is planning to exploit that to compromise the availability of the site. The second option is a so-called Distributed Denial of Service (DDoS) attack, which is common and well known on the Internet. In such an attack, the attackers typically use groups of compromised computers to send many web requests at once to the targeted website. Because of the sudden increase in traffic, the website might not be able to deal with the increased number of requests and simply fails. As a result, the site becomes unavailable to users.
Anonymous says in its video that it is inviting people to participate in “killing” Facebook. To me, this sounds like it is planning to provide tools to volunteer users that would be used to generate large numbers of web requests. If such an attack were successful, Facebook would become inaccessible for many of its users.
I would caution everyone (especially students who like to experiment) against using any tools that could be used in a DDoS attack — usage of such tools is illegal and can get you into a lot of trouble.
Facebook has launched a “bug bounty” program to keep its users safer from attacks. What other precautions do you expect Facebook will take in order to ensure user-safety?
From past collaborations with Facebook’s security team, I know that they take all potential security problems very seriously. In fact, we discovered some security issues on Facebook last year as a result of our research, and the site was very quick in fixing them. I am sure that it will be monitoring its systems and will be constantly looking for vulnerabilities it is not aware of. Unfortunately, though, there is no easy fix to DDoS attacks. The only effective solution right now is to have more computing resources available than the attackers. My guess is that Facebook may try to increase its server resources if it is expecting an attack. For example, it could decide to buy more resources from cloud companies like Akamai.
Are hacking groups, such as Anonymous, out to make a social point or to test their skills against potentially impenetrable systems?
I think it is a mix of the two. In the case of Anonymous, though, I think it’s more about making a political and social statement. Some of its hacks to date have been impressive but at the same time, DDoS attacks are pretty straightforward and technically not that sophisticated.
For me, it is fascinating to see a change of mindset about how we look at cyber-security today. Groups like Anonymous are demonstrating how vulnerable many companies and organizations are and how the lives of ordinary people can be affected if the security of cyber-systems is not taken seriously. I am very excited to say that Northeastern has been growing fast and gaining visibility in this area.