Ex-LulzSec member: 'Hacking is turning something upside down to see how it operates’

Mustafa Al-Bassam was ten years old when he first began "thinking of ways to break" basic computer programs

Ex-LulzSec member 'Tflow' implores the UK government to readress its attitude to cybercrime and focus on cultural changes and how devious minds can be used for good.

Mustafa Al-Bassam was ten years old when he first began "thinking of ways to break" basic computer programs. He was 18 when handed a 20 month suspended sentence for hacking the likes of games maker EA, News International and Sony's playStation network.

How it began

Browsing the internet as a teenager, Al-Bassam began to notice how programmers had made mistakes that created security holes. A meticulous and talented programmer, he turned to the infamous Anonymous movement, which was gathering momentum and began sharing tips on how to exploit these vulnerabilities in online chat rooms.

In 2011, aged just 16, Mustafa and five other young men formed LulzSec, an offset of Anonymous, which they shunned for its "own set of social norms." LulzSec became a "sandbox" for the five programmers to discuss vulnerabilities they found in companies' code.

That summer the team embarked upon "50 Days of Lulz", a spate of cyber attacks that would bring down some of the most influential businesses in the world, including Sony, Fox, the NHS and EA games.

LulzSec included Jake Davis, who was then 18, from Lerwick, Shetland and identified as "Topiary" online; Ryan Cleary, then 19, from Wickford, Essex and titled "Viral" and Ryan Ackroyd, then 24, from Mexborough, South Yorkshire who took the moniker "Kayla."

Only Ryan and Cleary were handed prison sentences in 2013 after admitting to stealing 24.6 million individual pieces of customer data from Sony, a hack that took the PlayStation Network down for several days and cost the company a reported $20 million in revenue.

Following the sentences, Police e-crime Unit head Charlie McCurdie commented: "Theirs was an unusual campaign in that it was more about promoting their own criminal behaviour than any form of personal financial profit.

"In essence, they were the worst sort of vandal - acting without care of cost or harm to those they affected."

How to stop cybercrime

Now that Al-Bassam has completed his 20-month suspended sentence, 500 days of unpaid community service work and two-year internet ban imposed by the police, he is embarking on a computer science course at King's College London, and helping the police deal with the increasing undercurrent of cybercrime.

"Law enforcement sees hacking as witchcraft and wants to burn them [hackers] at the stake," Al-Bassam says.

He believes the UK should move toward a "less punishing attitude" and focus on holistic approaches to educate young people on why breaking into systems is wrong.

The national crime agency have taken note. It has already put an initiative in place to target users and sellers of a piece of malware that makes it easy to monitor keystrokes and spy on PC users through their webcams. The police say they have monitored users and sellers of the cheap Blackshades Remote Access Tool.

The agency will alert young people who have bought the tool - but have yet to have executed it - that what they are doing is wrong, and issue a 'first warning' so that they are aware what they are doing could get them in trouble, Louise Pordage, senior manager at KPMG and former Home Office National Crime Agency project lead, revealed during a Tech London Advocates conference yesterday.

'Hacking is turning something upside down'

"Hacking is turning something upside down to see how it operates," Al-Bassam says.

While cybercrime is on the increase, corporates often cite a lack of tech talent as an obstacle for innovation. Observing online chat rooms, it's clear that there are plenty of young people who have the neccessary skills companies need.

The government - and corporates - should work together to ensure these skills are put to good, says ethical hacking guru and founder of the Innotech Network, Jennifer Arcuri. Addressing the psychology behind hacking could save companies a lot on inneffective security products too, she adds.

"Albert Einstein defined crazy as doing the same thing over-and-over again and expecting a different outcome. If we walked into a time machine and went back five years, talked to all the major vendors at a trade show they would give you a song and dance about an IPS, and IDS, a fancy malware, an AV, here's a firewall. But if you look at what has happened in the last year with Defcon and LulzSec and so on, they would say the exact same thing.

"We don't need another firewall. What we are dealing with is one hundred percent human against human. We are facing cognitive behavioural problems and doing the same thing over and over again is not going to give us an answer."

Join the CSO newsletter!

Error: Please check your email address.

More about IPSKPMGNewsNews InternationalOffice NationalSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Margi Murphy

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts