LulzSec, the group who breached Sony, PBS, Fox, and even the FBI, has no agenda other than their own amusement. Over the last month, they have dominated the headlines, earned nearly 100,000 followers on Twitter, and have been paid for their actions via donations. Is the security community secretly cheering?
As of Wednesday, LulzSec had 96,211 followers on Twitter. They are expected to clear 100,000 before the week is out, or by month's end at the latest. Based on the count - see Attrition.org - they are responsible for six of the last seventeen attacks on Sony, and as a result their following quickly grew.
[They hit the 100k mark sometime on Wednesday. The current count is 117,733]
Moreover, LulzSec has targeted Fox, because they didn’t like them; PBS for their Frontline story; the FBI, over the government’s opinion that hacking should be an act of war; Nintendo, just for fun; and their public introduction came via the leak of the 2011 X-Factor contestant database.
Recently, there was a rumor that one member of LulzSec was arrested, the group quickly stamped that down, commenting on Twitter that, “Nobody arrested, no significant logs leaked, website up, twitter up, Pirate Bay account up, IRC up, Lulz Boat sailing... victory for us.”
They’ve managed to be paid for, as their Twitter profile notes, “high-quality entertainment at your expense”, announcing that they have received more than $7,800 USD in BitCoin donations. [http://www.bitcoin.org] At the same time, they are also seeing millions of unique hits to their domain, where the results of their attacks posted online.
Is the security community cheering or jeering?
“Although large sections of the security community will deny it if you ask them, they're secretly enjoying watching LulzSec's campaign of mayhem unfold,” wrote Patrick Gray, on the Risky Business blog.
“Twitter has given LulzSec a stage to show off on, and showing off they are. The Internetz, largely, are loving it. It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts.”
A valid point. Some in the security industry are secretly sitting down, popcorn in hand, watching the show with rapt attention. Why? Because LulzSec is proving what many security evangelists and experts have said for years, there is no such thing as true security, and assumptions of such are delusional at best.
Many organizations are still hoping for that silver bullet, the one bit of software or hardware that will solve all their security problems. Sadly, there are vendors ready and willing to sell such solutions to them. If not that, then it is often a case of security by obscurity, or an organization simply assuming no one is interested in their network or data.
“Security types like LulzSec because they're proving what a mess we're in…There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us. LulzSec is running around pummeling some of the world's most powerful organisations into the ground... for laughs! For lulz...Surely that tells you what you need to know about computer security: there isn't any,” Gray noted.
In many of the cases where LulzSec has gained traction, it was something small, such as an overlooked parameter in a Web application, which allowed them full access to their target. A security practitioner, and avid skateboarder, compared this commonality to an old saying: “Beware the power of a pebble.” It’s always something small that can trip you up.
Perhaps vigilance is the only real hope for many security professionals. Knowing what is at risk, why it is at risk, and what can be done to protect it, is a solid start. After that process things get granular and messy, so there is no easy answer.
This is why attackers leverage pebbles. As one attempts to navigate the security world’s offerings of protection - getting lost in all the options and vendor spin - the little things that are ignored or overlooked cause the most problems.
Thus, as Gray said, we don’t have computer security, because there truly isn’t any. Something somewhere will fail, and yet another organization will become a statistic.
[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to [email protected]]
As this editorial was being written, LulzSec hacked Black & Berg Cybersecurity Consulting, a small and relatively unknown firm out of Nebraska, with an interesting reputation on Twitter.
On Tuesday, Joe Black, the company CEO sent the following message to LulzSec on Twitter:
“Black & Berg Cybersecurity Consulting appreciate all the hard work that you're putting in. Your Hacking = Clients for us. Thx ~Joe”
The hacking, as seen in the image below, occurred shortly after the security firm issued a challenge:
“Cybersecurity For The 21st Century, Hacking Challenge: Change this website's homepage picture and win $10K and a position working with Senior Cybersecurity Advisor, Joe Black”
In response, LulzSec altered the image and added, “DONE, THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ,” to the challenge’s message.