Employees who are part of the design and supply chain processes should only be given
access that pertains to their role. The supply chain process should be securely engineered to
make sure employees are not able to tamper with software or hardware to install spyware or
backdoor programs. For example, an employee with access to source code that is used to push
out firmware updates for a baby monitor might try to sneak in a backdoor account that could
be leveraged later to control and gain access to every baby monitor produced by the company.
Abuse case analysis for this category of threat agent should include third-party contractors
and partners as well. It is important for IoT product designers to think through potential
abuse cases in the context of threat agents so that they are able to build controls into the devi-
ces, as well as the backend infrastructure and processes supporting the products.
Hacktivists
Groups and individuals in this category—a blend of the words hack and activist—leverage
weaknesses in technology to promote a political agenda, often related to human rights and
freedom of information. The group known as Anonymous is one of the best examples of hack-
tivists. They define themselves as “a very loose and decentralized command structure that
operates on ideas rather than directive.” The group’s name originated from the 4chan website,
where users share various categories of images with one another. The website doesn’t require
registration, and users who post messages are tagged with the label “Anonymous.”
In 2008, Anonymous launched Project Chanology, which was an effort to retaliate
against the Church of Scientology for censorship. A private video starring actor Tom Cruise
discussing the virtues of Scientology was posted online by the Gawker website. The video was
initially hosted on YouTube, and the Church of Scientology sent a copyright infringement
notice to have it removed. Anonymous considered this unfair censorship and launched vari-
ous denial of service attacks against Scientology websites in protest. They also prank-called the
church and sent in fax messages with black paper to drain the ink from the church’s fax
machines.
In November 2010, WikiLeaks released hundreds of thousands of leaked US diplomatic
cables. Worried about possible legal threats from the US government, Amazon pulled the
plug on hosting the WikiLeaks website. PayPal, MasterCard, and Visa also cut off service to
the organization. As a result, members of Anonymous announced Operation Avenge Assange
in support of Julian Assange, founder of WikiLeaks. The group launched denial of service
attacks against PayPal, MasterCard, and Visa, but could not gather enough resources to bring
down the Amazon infrastructure.
In early 2011, Aaron Barr, the CEO of the cybersecurity company HBGary Federal,
claimed to have used social media platforms such as Facebook and Twitter to find out the
actual identities of some members of Anonymous. In response, members of Anonymous
exploited a SQL injection vulnerability on one of HBGary’s systems and obtained full-blown
access. They compromised Barr’s Twitter account and even claimed to have remotely wiped
his iPad. They also released thousands of confidential emails that contained internal commu-
ABUSE CASES IN THE CONTEXT OF THREAT AGENTS 221