Unfortunately not every IT Professional is ethical!  The full service for the Canadian Information Processing Society of Ontario (CIPS Ontario) has been fully operational for less than a week and we are getting bomabarded by hacking attempts with people trying to break into the site.

So far, so good, the extensive measures and constant updates we apply are keeping the site safe.

We know this because we have a series of IDS watchdogs running on the back-end that log all access to the system whether they succeed or fail.   The ones that succeed are subsequently archived off and kept for 30 days in case we have to identify the identity of people who deface the site or post content or comments that are not appropriate to their access to the sites terms of use, or the ethical standards of CIPS.

The failures are investigated fairly immediately.  This is to identify if our members and registered users are having legitimate problems with accessing content on the site they are supposed to, or for the point of this blog, are trying to subvert the security of the system for their own purposes.

The evidence

So where are these attacks originating from?  The majority of the attacks so far are coming from the USA, mainly from script kiddies, the most technical attacks are coming from Russia, Latvia and Ukraine, with China and Mexico making up a small percentage of the usual suspects.  The rest of the World make up only 25% of the attacks, or which most are general probing attacks.  This can be seen from the chart below.

Percentage of Hacking Attempts by Country

The chart below breaks down the attacks we have seen so far in the last week into categories.  The worrying trend is towards the attacks using technologies that are widely used in cloud computing, namely attacks using XML.  By and large the greatest number of attack are still happening against user accounts, which proves that good Identify control is paramount to keeping a site secure.

Attack percentages by type

So how many hacking attempts did we get?  Two thousand, five hundred and thirty seven in ninety six hours!  Slightly more than 2 every minute.

The ethics

Un-ethical behaviour is not necessarily illegal.  Using your companies computers to access a web-service that promotes your own business.  That’s un-ethical, it’s not illegal.  Taking an idea that comes to you fro solving a problem at work, not giving that solution to your employer but using it for your own benefit.  That’s un-ethical, it’s not illegal.

The first will probably get you fired.   The second, much harder to catch but will do you now favours in the long run, as people will understand where you stand ethically.

Hacking into a site to try to deface it, access data that’s not freely available, or just to poke around are all un-ethical practices  and in this and many other countries highly illegal.  You might get away with it for a while, but eventually you will leave a footprint that can be traced back to you.

You may ask why I bother to sate that because its illegal its also unethical?  The answer is to identify the impact this illegal action has as a knock-on effect.

First, more security measures have to be implemented to try to avert hacking attempts.  This is extra cost to the business, both in product and in resources. Then there is the extra load on the systems.  The security tools, irrespective of the suppliers claims do impose a toll on the processing capabilities of the computers they reside on, slowing them down and making the experience of using them less that perfect.

The actual attacks themselves create a load on the system.  In our case 2.27 hits per minute doesn’t seem a lot, but the system is not yet widely known and hasn’t been online long.  The type of hack actually has an impact on the server to and again on the experience of the bona-fide users.  In addition there is the extra load on the networks.

The outcome of the attacks may have a knock on effect.  We regularly send abuse reports to the Internet Service Companies (ISCs) who manage the services to the offending IP addresses, asking them to deal with the problem, and respond to us with the resolution.  If we receive no, or an unsatisfactory, response we lock all access to their sub-nets from our systems, and report them to the major spam engines.  This has a knock-on effect to any law-abiding, ethical user on that sub-net.  These are generally people who are local to the hacker.  So next time you can’t access a web-site or have you mail bombed by Spamcop, SpamHaus or the multitude of other Spam engines, you might want to start looking around at your neighbours (or even you Kids!).

The list is extensive, but these few of points illustrate that, even if a practice isn’t illegal, thought needs to be given to the impact of the action you are taking when accessing systems, rather than the result you are aiming for.  This goes for all computer accesses, and this should be borne in mind when programming, testing or otherwise accessing systems which more and more are on shared resources and networked services.

This is the site in which you get to have your say.  The Canadian Information Processing Society is, by definition, a society of Professionals, based in Canada, working  with Information Technology.

We form a social structure that relies on an interplay of discourse and dialogue, creating a web of individuals whose function it is to produce and pass on information so that it can be stored in memories and used to improve our profession, our services and our way of life.

This site is another method in which YOU as an IT Professional can share your thoughts, aspirations and experiences to pass on to other.  This will in some way help them to understand the problems and hopefully the solutions to many of the things that affect us all.

Some quotes that might encourage you to contribute:

“The important thing is not to stop questioning. Curiosity has its own reason for existing.” Albert Einstein

“We have two ears and one mouth so that we can listen twice as much as we speak.” – Epictetus

“According to most studies, people’s number one fear is public speaking. Number two is death. Death is number two.  Does that sound right?  This means to the average person, if you go to a funeral, you’re better off in the casket than doing the eulogy.” – Jerry Seinfeld