Computer hacker group LulzSec are in the news again. The team has carried out successful hacks on the PlayStation Network, PBS and the US Senate but the latest – which took down the CIA website for several hours earlier today – is the most spectacular.
So, who are LulzSec?
The identity of individual participants is unknown, but they are certainly carving a collective personality.
They don’t mind broadcasting their exploits to the world, using their Twitter account to inform their 161,000-and-counting followers of new attacks.
They appear to see themselves as merry (albeit potentially-devastating) pranksters, rather than serious cyber-warriors – not unlike The Joker from Batman, they seem to be at their most playful when creating chaos and confusion.
The group’s home page features the following text, with the opening theme from 1970s-1980s TV show Love Boat playing in the background:
Hello, good day, and how are you? Splendid! We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun.
Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calender [sic] year.
Hours before their attack on the CIA website, LulzSec began diverting phone calls from a number they had publicly released to the numbers of various organisations, including the FBI in Detroit and Blizzard Entertainment, creators of World of Warcraft.
The game keeps changing
While LulzSec has been responsible for a number of attacks in recent weeks, the hacks on Sony and the CIA are quite different.
The Sony attack was devastating: LulzSec managed to take hugely valuable information from the company’s user database with impunity. This highlighted severe weaknesses in the way Sony implemented its systems – and particularly that it had not defended itself against a common form of attack: the SQL injection.
The attack on the CIA is not in the same league. At this stage it appears to have been a Distributed Denial of Service attack (DDoS), and these are notoriously difficult to defend against.
The simplest form of DDoS attack bombards a web server with many more requests than it can cope with. Rather than highlighting weaknesses in how the CIA runs its networks, this type of attack highlights a weakness in the way the internet is designed.
Which is not to say bringing down the website of such an iconic organisation won’t add hugely to LulzSec’s growing mystique.
What’s the gameplan?
LulzSec may have a gameplan but we don’t know it. On a basic level, there will be great intellectual pleasure from carrying out such high-profile attacks. In the Sony incident there was also an element of revenge against the entertainment giant for taking legal action against a 21-year-old hacker who had cracked the internals of the PlayStation 3.
There is also the benefit of gaining kudos among the hacker community for the notoriety gained (although, after attacking the CIA, it would be wise to make sure they remain anonymous).
Perhaps there is a clue in the group’s motto: “Laughing at your security since 2011!”
For those of us who work in network security this does strike something of a chord. Some organisations take security very seriously but a surprising number do not. It’s often seen as something to worry about after the real work is done – not a core part of life on the internet.
Some security experts have admitted to schadenfreude over LulzSec’s attacks.
The feeling of many such experts could be characterised as follows: “For more than a decade we have been repeating to whoever would listen that internet security is not being taken seriously. We’ve been proven right. At least LulzSec let you know you’ve been compromised – what else is going on that you don’t know about?”
If the hat fits …
In the taxonomy of hacking there are:
“white hats” who, after having successfully compromised a computer system, will quietly advise the system’s owners.
“black hats”, who will keep the compromise quiet and perhaps exploit a system’s weakness for malevolent ends.
“grey hats”, who are in-betweeners – not necessarily malevolent, but certainly not gentlemanly white hats, given they broadcast their conquests to the world.
The PlayStation hack aside, LulzSec appears to be more grey hat than anything else.
How will firms respond?
A direct consequence of LulzSec’s current campaign will surely be the realisation by anyone who does business on the internet that security should be taken far more seriously.
Perhaps we will start to see less of what technologist Bruce Schneier terms “security theatre” – measures that provide the feeling of improved security, while actually doing little.
There are also system-wide issues that cannot be managed purely by improving system security.
Identity theft has conventionally been seen as a problem arising from personal information not being securely stored. But at least as big a problem is that companies and organisations tend to employ very weak procedures for authenticating the identity of people who initiate transactions.
This second issue requires far-reaching changes. The most significant (and positive) consequence of LulzSec’s attacks might be that they prompt these overdue changes.
What will LulzSec do in the meantime? Something tells me we won’t have to wait too long to find out.
What are your views on LulzSec? Leave your comments below.
Are you an academic or researcher with knowledge or an interest in LulzSec. Contact the technology editor now.