Lulzsec Ups The Ante

There have been a string of breaches against various companies claimed by a hacking group called Lulzsec.  They have attacked organisations such as Sony, the US Senate, the security company Unveillance, the Atlanta chapter of an FBI affiliate group called Infragard, Bethedsa Software, the British National Health Service, PBS and numerous others including many pornography sites.

They claim to be highlighting how weak the security of these organisations is and to teach them a lesson in how to secure their systems.  By any logical reasoning this is not a valid argument.  If you were to equate this to real life it would be similar to someone breaking into your house and leaving a note on your kitchen table to tell you that the lock on your front door was weak and while they are at it, taking some private information and posting it on a noticeboard for everyone to see.

Lulzsec has been getting a lot of publicity with many people acting as cheerleaders as they cause havoc across the web.  Many see them as a group that is finally forcing organisations to sit up and take notice of their lax security practises and argue that this is for the greater good.  However, in most countries what Lulzsec is doing is against the law and the actions they are taking are criminal acts.  There is also the matter that in a number of cases Lulzsec has posted the personal information of the customers of the sites that were breached onto the Internet which now poses a security threat to those individuals.  There are more ethical and acceptable ways to make companies aware that their security is not up to scratch and does not involve putting innocent people at risk.

Tonight may be the time when Lulzsec overreached themselves.  It appears they launched a Distributed Denial of Service (DDoS) attack against the CIA website, www.cia.gov.  At the time of writing the CIA website is not reachable.

I suspect that they may have tried to breach the website but were unable to do so and as a result have simply blocked all traffic to the site.  This may not expose any sensitive information or breach the security of the site, but it does present a very embarrassing situation for the CIA.  This action, I am sure, will not go down well with the authorities to be and the CIA, and by extension the US Government, have a lot more resources open to them to track down the source of the attackers than say Sony or any of the other systems that they have attacked.

In addition to the CIA, Lulzsec have also drawn the ire of another infamous hacker called th3j35t3r. Th3j35t3r appears to be pro-western hacker and has been responsible for a number of attacks against websites supporting extremist terrorism.  In the tweet below he tells Lulzsec “re your last hit.  Gloves off. Expect me.”

It promises to be an interesting few days ahead for the members of Lulzsec and those of us looking on.

UPDATE 16th June 2011

Thanks to a very interesting discussion with attrition.org on Twitter a number of items have been pointed out to me;

In the third paragraph I state that there is no “logical reasoning” behind Lulzsec attacking certain companies to highlight “how weak the security of these organisations is and to teach them a lesson in how to secure their systems.”  As was pointed out to me, just because I do not agree with their methods does not mean there is no logical reasoning behind it.  This is a very valid point.  While I do not believe breaking into a system and publishing the information found there is the correct way to show how ineffective an organisation’s security is, does not mean that it is not a way to demonstrate it.  I also fully accept that the more ethical, legal and perhaps, as some would argue, naive way is not always effective as companies can, and in some cases will, choose to ignore the findings they are presented with.  But does this justify breaking into their systems and publishing their information or that of their customers?  How do we determine what is the right way in this situation?  Who or what gives individuals the right to break the law and hack into a system and expose sensitive data?

What are your thoughts on the issue? What is the most effective way to get organisations to address issues with the security of their systems without having to break the law or put innocent users at risk?

9 thoughts on “Lulzsec Ups The Ante

  1. Pingback: Security Watch » Blog Archive » Attrition.org Posts a Rebuttal to my Lulzsec Post

  2. Initially the idea was full disclosure, but then we had worms and autorooters thrown together by skiddies. We had the idea of penetration testing, which exposed the flaws and assist companies in securing their systems, yet, we’d keep coming back to the same companies and find similiar issues.

    I left the security scene a few years back because both the private and public sector would continue to hire and employ the same arrogant, clueless programmers and administrators, who’s empire building and political clout would somehow always manage to drown out the fact that every six months we’d come in, exploit the same systems with the same vulnerabilities that were supposed to have been fixed last time.

    Now I’m back in software development. I’m quite happy for there to be laws that could charge me with extreme negligence for failing to stay abreast of and adopt security best practices. The problem is the legislation would need to be internationally adopted, and this just isn’t going to happen in the forseeable future.

    Penetration testing is also a very artificial game, with a clearly defined ‘playpen’ in which to operate. Often the real issues occur at the boundaries. One does not break into a client’s gmail account, their dns provider, or their ISP’s routers, despite the fact that in the real world, these legal boundaries do not exist for an attacker.

    Good to see you backstepped from your initial logical argument in respose to attrition.org. It’s best to remove emotion and concepts such as ‘right and wrong’ when the heart of the issue is capability. I don’t agree with the *morality* of lulzsec’s tactics, but they provide patently undenyable evidence of the ROI of adopting a good security posture, *logically* therefore, we might see an improvement in corporate and government security (though I am not going to hold my breath).

  3. dear sirs,

    let me approve your way of making both, fun to us and attention to
    those companies that treat security  a matter of: btw we should not
    evidently be public. a threat that is real will move those companies
    to enhance their efforts in privacy. they know our data, but we do not
    know their way of protecting it. you show us. this is good. this is ethical.

    newspapers work similar, publish hidden matters. thus avoiding
    the existence of those plans to make relevant matters behind
    closed doors.

    keep going. the fore will be with u.

    Frank, Muenchen, Germany

    ..

  4. Pingback: Forcing Transparency Through Anonymity

  5. “But does this justify breaking into their systems and publishing their information or that of their customers?”

    YES!!!111oneone

  6. @ DaveTheJohn

    Thanks for taking the time to comment. You make a lot of valid points and it is interesting to see that as a software developer you would be happy to take on legal responsibility for issues caused by the software you write.

    I think this is a fundamental concept that we need to explore further in this industry. There are two issues that need to be looked at;
    (a) If you look at most EULA licenses they actually only give you the right to use rather than the right to own the software. This results in many legal protections for those who nuy and own a product are not valid.
    (b) Again the EULA also places no liability on the vendor should defects in their product cause problems for the customer.

    This places no driver on the vendor to ensure their product is secure. I doubt car manufacturers or vendors who make electrical appliances would be allowed place the same conditions in their agreements. The UK House of Lords Fifth Technology Report actually has some good recommendations on how to improve security http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/16502.htm. Unfortunately the report was rejected.

    Regarding the testing of systems. There are a lot of issues here and yes I have seen many companies ignore or not action items from security tests. This can be due to lack of resources, time or appreciation of the problem. Also as you point out many people are more interested in building careers than deploying and managing secure systems.

    While it is dissappointing to see you, someone who appears to have a passion for security, leave the field it is also good to see that you are still involved in IT and hopefully your security habits will rub off on those around you :)

  7. @Frank

    I am in favour of disclosure and ensuring companies protect our information to the levels that it should. However, I do think we need to look at ways that do not endanger the innocent. Newspapers may uncover corruption and other issues in companies but they do not do so at the cost of thousands of innocent people and expose their personal details to be abused by others.

    It is clear that we have a long way to go before we find a balance in how to deal with this issue, but hopefully we can get there by reasoned discussion and debate.

    Thanks for taking the time to read and comment

  8. @ Christen

    Thanks for taking the time to comment.

    So you are happy that the details of individual user accounts are made publicly available for all to use and abuse?

    I am interested in finding out what you think this achieves and why you think it is justifiable?

  9. I have a few questions for yall:

    1. Is it acceptable that our governments with the industrial lobby outweigh public opinion in order to maintain current destructive implementation of capitalism (as admitted by many already for decades, check it yourself!) thereby increasingly affecting masses in an increasingly destructive manner?

    2. Because they are in fear for consumer markets they cannot manipulate as of current manners, even?

    3. Don’t we have governments to guard us against such (obstruction of) movement, development?

    4. So you rather like a million black-hats silently snooping around all of our sensitive information, as of they are doing this for years already? Unnoticed?

    5. Do you have any clue about damages evolving from this ‘obscurity through security’? At least you know now, your information have already long been compromised!

    6. What would be the point of holding on to laws that our own government and industrials apparently increasingly don’t feel need to be subject to? I guess that would be giving some peeps some good ‘ol lulz, over our decent tax paying consumer backs?

    7. Can you name me one fact within their ‘terrorism-management’ that actually made things better? To my very best knowledge, the most they did is creating an even worse situation, giving desperates other means to express – our fear of terrorism, that is.

    8. Did you know this insecurity or fear is directly and greatly adding to controlling consumer market, thereby as directly and greatly adding to current corruptency within capitalism? Next to that it eats our freedom, privacy, money and security?

    9. Up to today, nobody notices financial institutes evading our laws openly by closing down bank accounts (liquidity; constitutionally protected primary (defense) need) based on suggestions rather than verdicts? What do we pay our own public offenders for, anyway? How should we keep their laws again?

    10. Even continueing putting the blame rather on little kids than accepting facts even US President have been admitting open and in public, already decades ago?

    11. Oh and an DDoS where people chose to manually create the ‘distributed’ factor by manually launching possibilities from even their own IP’s, is to me exactly the same as using your own face in a sit-in where you chained yourself to some organizations entrance. New age protesting that is, and a very logical move to internet as well, with current excuses being abused suppressing and manipulating public opinion. For their own good rather than public interest?

    I could go on for hours about this, You cannot deny all this for most of it IS already simply scientifically proven. Ignorance is no cause to be mistaking and I BET we are not paying tax to governments to put up such bullshit.

    Fact is, the vast majority of the masses DO feel insecure, DO work hardest, DO recieve fewest in return, ARE oppressed everywhere especially when they are (greatly unconsiously) addressing somewhat more trivial and complex problems resulting out of governments own incorrect policies, and so on.

    If you really love your kids, you aught to consider all this. And I never said that there is NO cost / harm inflicted through these movements, CAN you NAME me ONE instance in history where it has not? I can name you numerous examples where it greatly costs / harms the masses. Much more greatly even.

Comments are closed.