There have been a string of breaches against various companies claimed by a hacking group called Lulzsec. They have attacked organisations such as Sony, the US Senate, the security company Unveillance, the Atlanta chapter of an FBI affiliate group called Infragard, Bethedsa Software, the British National Health Service, PBS and numerous others including many pornography sites.
They claim to be highlighting how weak the security of these organisations is and to teach them a lesson in how to secure their systems. By any logical reasoning this is not a valid argument. If you were to equate this to real life it would be similar to someone breaking into your house and leaving a note on your kitchen table to tell you that the lock on your front door was weak and while they are at it, taking some private information and posting it on a noticeboard for everyone to see.
Lulzsec has been getting a lot of publicity with many people acting as cheerleaders as they cause havoc across the web. Many see them as a group that is finally forcing organisations to sit up and take notice of their lax security practises and argue that this is for the greater good. However, in most countries what Lulzsec is doing is against the law and the actions they are taking are criminal acts. There is also the matter that in a number of cases Lulzsec has posted the personal information of the customers of the sites that were breached onto the Internet which now poses a security threat to those individuals. There are more ethical and acceptable ways to make companies aware that their security is not up to scratch and does not involve putting innocent people at risk.
Tonight may be the time when Lulzsec overreached themselves. It appears they launched a Distributed Denial of Service (DDoS) attack against the CIA website, www.cia.gov. At the time of writing the CIA website is not reachable.
I suspect that they may have tried to breach the website but were unable to do so and as a result have simply blocked all traffic to the site. This may not expose any sensitive information or breach the security of the site, but it does present a very embarrassing situation for the CIA. This action, I am sure, will not go down well with the authorities to be and the CIA, and by extension the US Government, have a lot more resources open to them to track down the source of the attackers than say Sony or any of the other systems that they have attacked.
In addition to the CIA, Lulzsec have also drawn the ire of another infamous hacker called th3j35t3r. Th3j35t3r appears to be pro-western hacker and has been responsible for a number of attacks against websites supporting extremist terrorism. In the tweet below he tells Lulzsec “re your last hit. Gloves off. Expect me.”
It promises to be an interesting few days ahead for the members of Lulzsec and those of us looking on.
UPDATE 16th June 2011
Thanks to a very interesting discussion with attrition.org on Twitter a number of items have been pointed out to me;
In the third paragraph I state that there is no “logical reasoning” behind Lulzsec attacking certain companies to highlight “how weak the security of these organisations is and to teach them a lesson in how to secure their systems.” As was pointed out to me, just because I do not agree with their methods does not mean there is no logical reasoning behind it. This is a very valid point. While I do not believe breaking into a system and publishing the information found there is the correct way to show how ineffective an organisation’s security is, does not mean that it is not a way to demonstrate it. I also fully accept that the more ethical, legal and perhaps, as some would argue, naive way is not always effective as companies can, and in some cases will, choose to ignore the findings they are presented with. But does this justify breaking into their systems and publishing their information or that of their customers? How do we determine what is the right way in this situation? Who or what gives individuals the right to break the law and hack into a system and expose sensitive data?
What are your thoughts on the issue? What is the most effective way to get organisations to address issues with the security of their systems without having to break the law or put innocent users at risk?