Are we really living in a post-LulzSec world?
- — 28 June, 2011 06:00
Black hat hacker group LulzSec may have announced that it is ceasing operations after 50 days of attacks on companies such as Sony but the group still retains vast amounts of stolen data. Security experts are divided as to whether the scale of the attacks means companies are not merely dealing with 'script kiddies' — a term for hackers who use 'off the shelf' code and simple methods for discovering exploits — or sophisticated cybercriminals.
So is the re-emergence of LulzSec inevitable where does this leave Anonymous, which the group recently teamed up with to target banks and government organisations in an 'anti-sec' operation?
A Twitter account associated with Anonymous recently tweeted that there will still be `Lulz aplenty' and indicated it is now planning an attack on US agricultural seed and chemical company, Monsanto, which also has an Australian operation. The attack, according to Anonymous is a response to Monsanto's use of growth hormones in seeds in North America.
"We're going to hit MonsantoCo with something a little bit more serious than a distributed denial of service [DDoS] attack this time. F**k em," read the tweet.
Pure Hacking chief executive officer, Rob McAdam, told Computerworld Australia that he does not believe that LulzSec was as well organised as some other hacking entities the white hat hacker company has monitored and that, unsurprisingly given its name, the group was in it "for the laughs".
"In line with their agenda LulzSec targeted the most significant profiles that they could to in turn raise their profile in the shortest time frame possible," says McAdam. "I certainly don’t believe that every corporation they targeted, they successful breached the network security."
In fact, he says there are probably quite a few targets the group went after that the public would never hear about because "there is no significance in a failed attempt."
While getting "15 minutes of fame" was great for the group's ego, he says it broke a number of laws and it was only a matter of time before the Federal Bureau of Investigation (FBI) caught up to them.
"Once they realised that the authorities were serious about prosecutions, the threat of a criminal record outweighed the infamy of it all," says McAdam.
"Hardcore hacker groups that derive their income from breaking the law don’t fear going to jail; for them the risk is all part of what they do. LulzSec has rightly decided to avoid going to jail at all costs and the fear of this happening has put everything into perspective for them."
On the question of where this leaves Anonymous, McAdam says that only the group itself could answer that. "The drive to pull back from hacking activities at this point has come from LulzSec but it is just one of many disparate groups with self imposed mandates. A similar organisation to LulzSec emerging? It’s a given," he says.
In contrast, M86 Security vice-president, Jeremy Hulse, says LulzSec are sophisticated and used a number of techniques that allowed them to get through corporations' cyber defences. While some of the tools they used are available on the Web, he says the group was very capable when it came to finding weak spots.
"They were behaving like script kiddies, but, to be fair, I think some of these organisations such as Sony had some basic vulnerabilities."
While Hulse says he does not support LulzSec's actions, he concedes that the group has drawn attention to people's tendency to become blasé about security until something happens.
"What they've done is the wrong way to educate people but it is a short, sharp shock to a lot of businesses that they do need to look at these things so from that respect it has had an effect," he says.
"LulzSec have said they are going to stop because they've made their point. Whilst they were doing that, what else was been done in the background? If I wanted to take attention from other activities I was doing, the perfect way to do that would be to announce all these other hacks."
He also doubts that people with the group's level of capability would simply disappear back underground.
"You think about the places LulzSec have hit and the information they've taken. We don't know all of what they have but it includes credit card details and emails. They probably don't need to keep hacking."
Hulse also warns that the group is unlikely to tell anyone what they are doing now.
"Any access to hacks they've done, they will change their methods completely so anyone searching can't track them down. If they get caught it will be on the script kiddie side of things."
According to Hulse, there are only two reasons why people hack — the first is for the money and the second for the fame.
"It's like an addiction for these guys; they will keep doing it. They may take the attitude that 'We told you to that you should look at your security so now we are going to make you pay in a different way.' "
Looking at the future, he says better antivirus signatures needed to be developed as some signatures were now 20 years old. The International Monetary Fund is believed to to have been a victim of phishing, resulting in large amounts of data being stolen.
"We do have to look at different techniques and technologies because we can't rest on old technology. If organisations can get to the mindset of looking to the future, they will be better protected."
"Companies also need to have constant reflection on themselves and what they are doing," says Hulse. "That constant analysis of security is critical and if they don't have a program, than these hacks will continue."
Hulse also warns that Anonymous arguably poses a greater threat than LulzSec, as its members are capable at not only getting into systems but also at covering their tracks after exiting a system.
Sophos Asia Pacific head of technology, Paul Ducklin, says the only silver lining from LulzSec was that companies who saw security as just another IT cost were forced to take notice. However, he says, this does not justify the group's actions.
"Their motivation always seemed to be that it was tremendous fun [to hack companies] but there are a number of companies in both Australia and New Zealand, where there are no mandatory disclosure laws, that are saying 'I see security as a cost, not a value, and I'm going to try to minimise the amount that I spend and brush it under the carpet'"
"If you've been one of those people hiding behind the dark glasses, the glasses should be off by now and your moment of certainty that you are at risk has come," says Ducklin
"It should have come long ago but it has now come."
He also warns that people should not believe anything LulzSec tweets or issues in press releases because the group was notorious for issuing false information.
"We seem to be rushing to believe the things they have said that are handy to believe. I don't know why you would because stealing data and publishing it is a criminal matter in most countries," he says.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU