Archive for the ‘lulzsec’ Category
Why arresting lulzsec won’t change anything
EDIT: Seems lulzsec proved me right http://pastebin.com/1znEGmHa now it really won’t matter if they are arrested, and they have completed their apparent objective of fueling the antisec movement.
Federal law enforcement agencies from around the world have been working to arrest members of the group known as lulzsec. Love them or hate them lulzsec has changed how the public views hackers and hacking. It has brought more attention to the cyber world and the cultures that develop there, and they have changed how some hackers operate Instead of quietly hacking smaller websites or targets of personal interest, they hack or attempt to hack government targets and post about it on social network and public chat rooms. Lulzsec declared war on the US Government and others like them have answered the call to arms. By doing this lulzsec has ensured that even if they themselves are caught their cause will live on without them, in fact if caught this would only likely motivate their followers further.
These “daughter groups” seem based on their region , on twitter I have seen “lulzsec” based groups for brazil and there have been reports of graffiti tags showing the word “antisec” and lulzsec’s mascot image in San Diego, I do not know how many other groups such as this are out there, but considering lulzsec’s over 200,000 twitter followers the number could be significant. Considering law enforcement’s history with dealing with cell based groups if they seriously want to stop the antisec movement they are going to need a different approach than the one they are currently taking, fighting them directly is only going to expand the antisec movement and fuel its anger.
Right now lulzsec and its allies have the advantage because their operation is popular and costs very little to operate but does a significant amount of damage, while Government forces cost significant amounts of money to train and operate and do very little damage. Considering how slow that governments are to adopt change, even when it directly benefits them lulzsec and its allies will be at this for quite some time.
If the governments were truly serious about stopping this threat they would work to defuse the anger and outright hate people feel toward the government these days, they would take steps to show people that they are not the bad guys and stop taking such a hard approach. They would pay more attention to public perceptions and address the issues that people have in a honest and transparent manner, being answerable to the public when questions are asked. For example there may be a perfectly rational explaination as to why the FBI took servers that didn’t seem to have anything to do with lulzsec from DigitalOne, but the people will never know why because they won’t comment, and when they do people feel like what they are told does not really explain anything, so without answers from official sources right away, people will just draw logical conclusions based on the available evidence , and said evidence makes it look like the FBI has no idea what it is doing and they have good reason to believe that.
As of late the governments actions in public have been disastrous and it has gotten to the point where people feel compelled to act to stop it. People feel like their rights are being stripped away and that they have no control over their own private lives. They are afraid. So when someone comes along and is not afraid, and not only not afraid but willing and able to act against the target of their fears, they rally around them and support them, feeling less afraid to act themselves, and after enough time they lose all fear of any legal repercussions because they believe they are morally right. This is the point we are at right now, they have motivated and emboldened people that the government has alienated and ignored. Stopping lulzsec won’t stop antisec, in fact it will likely do the opposite. The game has been changed, and right now the only winning move is not to play.
On Lulzsec and Ryan Cleary
Various media organizations have reported on the arrest of one Ryan Cleary implying or sometimes outright claiming he is the leader of the group known as Lulzsec, as someone who has observed lulzsec’s public communication channels and twitter feeds I found this very surprising because Ryan ran the new encyclopediadramatica servers, and while lulzsec did have a channel there Ryan did not appear to take any major part in the channel’s operations or conversations. Now this could indicate that if he was the leader of this group he kept very quiet about it and that would make a lot of sense, but if you look at the actual charges set against him it becomes clear he is being charged with various DDOS attacks going back years, not with any of the many hacks lulzsec has taken credit for. The charges did not mention the Sony hack or any other server breaches, in other words he isn’t lulzsec and Law Enforcement knows this or else they would have charged him (the supposed leader) with these crimes.
Lets put this into perspective for those of us who are not technically minded, a DDOS attack simply prevents a server from connecting to the internet, and once it stops the server comes back online as it was before the attack. It is the digital equivalent of a sit-in protest.
Hacking is breaking in to the server itself. It is the digital equivalent of walking into a place of business that had its doors and vaults unlocked and a single security guard who was asleep and drunk and stealing their internal documents and mass dropping copies all over the streets for all the public to see, after of course they drew a penis on the face of the passed out guard and spray painted the insides with dirty limericks.
Now it seems more probable that the operatives from lulzsec simply asked Ryan to DDOS sites of interest to “entertain the audience” while they worked on more serious projects. It is brazenly obvious that lulzsec wants public attention, especially when it comes to information security matters, to quote Patrick Gray “They’re pointing at the elephant in the room and saying “LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN’T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!” and finally the world is listening. Experts have been saying for years how insecure major companies are with personal and private information and nobody listened to them. They went to the media, they wrote blogs, they even offered to help them fix it. Nobody listened. Now someone is finally doing what they all said *could* happen if they did not secure the data they had properly. They took it and showed it to the public. Instead of holding on to the data and quietly exploiting it they shoved it down your throat that the people you thought you could trust with your data were not so trustworthy after all.
How did this happen?
Lulzsec usually uses attacks already known to the public, attacks that have easy solutions for administrators to protect against. SQL Injection and Remote File Inclusion these attacks are easy to test for by administrators and also easy to correct. They have been around for many years and should be few and far between, supposedly just a mark of a novice administrator to make such a mistake. In other words Sony should have and probably did know better. The question you should be asking Sony is “Why didn’t you care enough about us to protect the private data we gave you?” and you should be asking yourself what about the other hackers who do not want to disclose to the public what they do, but instead want to quietly infiltrate as much of the internet as they can for as long as they can already knew about this hole in Sony, and other holes that they haven’t disclosed. How do you know your data isn’t being bought and sold right now?
It’s the quiet ones you have to worry about.
The media is also painting lulzsec as this new threat to information security, like they are doing something totally new and unexpected when the reality of the matter is there are a lot more hackers out there besides lulzsec. You do not hear about them on the news. You do however notice that mysterious charge on your credit card bill and you notice weird little things about electronic information, data that just vanished or a program that just doesn’t quite work the way it used to. While there are many explanations for these events one of the things that could have happened that most people do not consider is a computer intrusion of some kind. If you see charges on your credit card your first and most logical response is to ask your family members if they used it without permission, usually this is going to be the case, but if your child or spouse denies this , consider the possibility that they may be telling the truth. Maybe your favorite website is having a hiccup and dropped some of your info on accident, it happens but maybe someones been playing around in the databases how would you know? Or perhaps your favorite application is having some unexpected performance issues, it could be the latest patches broke something and you need to submit a bug, or it could be your antivirus is not as good as it claims to be and you have been infected with a virus that takes screen shots of your activity and sends them to the hacker so he can sell your information on the black market.
The biggest threat to Information Security is ignorance.
You see, lulzsec is not our biggest security concern by a long shot nor is the kid botnet herder who was arrested recently or those like him. It isn’t even the guy who wrote the code the kids use to make the botnets, its the millions of computers on the internet that are not secure, we live in an era of information technology, nearly everyone in the modern world has internet access and most people have very little knowledge when it comes to basic security practices for computers. And what little they do know is probably wrong.
You don’t leave your car unlocked and you don’t leave your safe open and your door wide for the world to see. So why do many people do the digital equivalent? It is not because they don’t want to be safe, it is because they do not know how. If they did, most of the botnets would disappear and most of the stolen credit card black markets would dry up. If the administrators of the servers on the net payed the least attention to their jobs lulzsec would not even exist, and the only reason they had not been compromised already was sheer dumb luck.
In some twisted manner we have lulzsec to thank for bringing the reality of our situation to light.
How the Media Gets it Wrong On Infosec 