Four lessons from LulzSec vs Murdoch

What next for the merry band of hackers?

Shooting for the Moon: Does this image hint at LulzSec's next target after The Sun, or is it just another distracting joke? (source unknown)

Shooting for the Moon: Does this image hint at LulzSec's next target after The Sun, or is it just another distracting joke? (source unknown)

LulzSec's hack of News International websites including The Sun yesterday is one of the highest-profile information security breaches in history. Down went a major media company. But it means almost nothing beyond the daily news cycle.

At first glance you might imagine that defacing a major UK website and posting a hoax story about the death of its proprietor would finally draw attention to information security issues. There's hackers out there, folks, and unless you get your act together now they will pwn you.

At second glance you might imagine that LulzSec's attack was even more effective. With multiple websites compromised, News International was forced to take its entire internet presence offline for hours while they figured out what was going on. Web, email, the lot, representing hundreds of domains. That's a massive loss of face, and presumably a hit on the company's productivity and advertising revenue.

But I'm not so sure.

I reckon there's four key lessons from yesterday's events.

Lesson One: LulzSec knows how to get attention. Kinda.

One aspect of LulzSec's timing is exquisite. In a week when Rupert Murdoch is dominating the news -- and not in a good way -- on the very eve of his public interrogation, they took out his British crown jewels. That hurts.

But the timing was also seriously flawed. The attack started at 10.30pm UK time and unfolded once most Britons were asleep. Relatively few visitors to would have seen the hoax story. The financial cost to News International was lass at that hour. There was no follow-up. The media could turn to the real story of the day: Murdoch's evidence before a parliamentary committee.

LulzSec's team is smart and entertaining, but they're hardly public relations professionals.

Lesson Two: No-one cares. Hacking is a circus that affects someone else.

We've seen hack after hack after hack, but civilisation has stubbornly refused to crumble. We've cried wolf a few hundred times too often. We're experiencing what Paul Ducklin from Sophos calls "hack fatigue".

We only hear about successful hacks, from LulzSec or anyone else, Ducklin told CSO Online. "They can crow about every time they have a success," he said, "but you never hear about the sites they never broke into."

Presumably a vast number of hacks are thwarted by our armies of hardworking infosec specialists.

And we only hear about attacks against high-profile targets. "Along with the whole meme about cyberwar and cyber terrorism, it reinforces the message, 'Little old me? I'm off the cybercrooks' radar'," Ducklin said. "That's the worry for me."

Lesson Three: Nothing has changed in years.

While some infosec experts have publicly spoken out against LulzSec as irresponsible criminals, I know they're secretly cheering them on. Public pranks, risqué repartee and blatant baiting of the victims is getting LulzSec the attention that more sober methods have failed to achieve.

"Thank you, LulzSec, for bringing this to my boss' attention. Now we can finally get the security budget we need," seems to be the message.


What's changed?

In the last year or so the mainstream media has run stories about hacks, or attempted hacks, of Google, the US Senate, Lockheed, AT&T, NATO, Epsilon, RSA, MySQL, WordPress, Paris Hilton and Mark Zuckerberg's Facebook fan page. In Australia think Vodafone, Lush, Monash University and even prime minister Julia Gillard's email. Only three months ago it was the Sony PlayStation Network data breach -- the fourth-biggest breach in history and for which LulzSec claimed responsibility.

After all those stories we held urgent meetings, changed our ways, and put infosec at the top of the business agenda, right?

Yeah right.

Lesson Four: No-one looks at their own information security until they themselves get hacked.

The very first hack claimed by LulzSec's was, another Murdoch business. While defending a complex network against a determined adversary certainly ain't easy, News International does seem to have been comprehensively compromised.

I'd have thought that seeing a stablemate go would have led to a better defence. But perhaps not. Perhaps that's asking too much of human nature.

So what next?

We all get to speculate about LulzSec's next move. They claim to possess a News International email archive, and said they'd release it Tuesday. But even by US time there's only a couple of hours left.

"The Sun taken care of... now what about the moon...", LulzSec tweeted early this morning Australian time, linking to the image above. Hint? Or meaningless distraction?

Contact Stilgherrian at, or follow him on Twitter at @stilgherrian.


Join the CSO newsletter!

Error: Please check your email address.

Tags News Internationalsecurity breachesfox.comcybercrimeMurdocksophoshoaxinfosechacksecurityLulzsecPaul Ducklincyber terrorismnews

More about Epsilon InteractiveetworkFacebookGoogleMonash UniversityMonash UniversityMySQLNATONews InternationalRSASonySophosVodafone

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts