How the Media Gets it Wrong On Infosec

Just another WordPress.com site

On Lulzsec and Ryan Cleary

with 5 comments

Various media organizations have reported on the arrest of one Ryan Cleary implying or sometimes outright claiming he is the leader of the group known as Lulzsec, as someone who has observed lulzsec’s public communication channels and twitter feeds I found this very surprising because Ryan ran the new encyclopediadramatica servers,  and while lulzsec did have a channel there Ryan did not appear to take any major part in the channel’s operations or conversations. Now this could indicate that if he was the leader of this group he kept very quiet about it and that would make a lot of sense, but if you look at the actual charges set against him it becomes clear he is being charged with various DDOS attacks going back years, not with any of the many hacks lulzsec has taken credit for. The charges did not mention the Sony hack or any other server breaches, in other words he isn’t lulzsec and Law Enforcement knows this or else they would have charged him (the supposed leader) with these crimes.

Lets put this into perspective for those of us who are not technically minded, a DDOS attack simply prevents a server from connecting to the internet, and once it stops the server comes back online as it was before the attack. It is the digital equivalent of a sit-in protest.

Hacking is breaking in to the server itself. It is the digital equivalent of walking into a place of business that had its doors and vaults unlocked and a single security guard who was asleep and drunk and stealing their internal documents and mass dropping copies all over the streets for all the public to see, after of course they drew a penis on the face of the passed out guard and spray painted the insides with dirty limericks.

Now it seems more probable that the operatives from lulzsec simply asked Ryan to DDOS sites of interest to “entertain the audience” while they worked on more serious projects. It is brazenly obvious that lulzsec wants public attention, especially when it comes to information security matters, to quote Patrick Gray “They’re pointing at the elephant in the room and saying “LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN’T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!” and finally the world is listening. Experts have been saying for years how insecure major companies are with personal and private information and nobody listened to them. They went to the media, they wrote blogs, they even offered to help them fix it. Nobody listened. Now someone is finally doing what they all said *could* happen if they did not secure the data they had properly. They took it and showed it to the public.  Instead of holding on to the data and quietly exploiting it they shoved it down your throat that the people you thought you could trust with your data were not so trustworthy after all.

How did this happen?

Lulzsec usually uses attacks already known to the public, attacks that have easy solutions for administrators to protect against. SQL Injection and Remote File Inclusion these attacks are easy to test for by administrators and also easy to correct. They have been around for many years and should be few and far between, supposedly just a mark of a novice administrator to make such a mistake. In other words Sony should have and probably did know better. The question you should be asking Sony is “Why didn’t  you care enough about us to protect the private data we gave you?” and you should be asking yourself what about the other hackers who do not want to disclose to the public what they do, but instead want to quietly infiltrate as much of the internet as they can for as long as they can already knew about this hole in Sony, and other holes that they haven’t disclosed. How do you know your data isn’t being bought and sold right now?

It’s the quiet ones you have to worry about.

The media is also painting lulzsec as this new threat to information security, like they are doing something totally new and unexpected when the reality of the matter is there are a lot more hackers out there besides lulzsec. You do not hear about them on the news. You do however notice that mysterious charge on your credit card bill and you notice weird little things about electronic information, data that just vanished or a program that just doesn’t quite work the way it used to. While there are many explanations for these events one of the things that could have happened that most people do not consider is a computer intrusion of some kind. If you see charges on your credit card your first and most logical response is to ask your family members if they used it without permission, usually this is going to be the case, but if your child or spouse denies this , consider the possibility that they may be telling the truth. Maybe your favorite website is having a hiccup and dropped some of your info on accident, it happens but maybe someones been playing around in the databases how would you know?  Or perhaps your favorite application is having some unexpected performance issues, it could be the latest patches broke something and you need to submit a bug, or it could be your antivirus is not as good as it claims to be and you have been infected with a virus that takes screen shots of your activity and sends them to the hacker so he can sell your information on the black market.

The biggest threat to Information Security is ignorance.

You see, lulzsec is not our biggest security concern by a long shot nor is the kid botnet herder who was arrested recently or those like him. It isn’t even the guy who wrote the code the kids use to make the botnets, its the millions of computers on the internet that are not secure, we live in an era of information technology, nearly everyone in the modern world has internet access and most people have very little knowledge when it comes to basic security practices for computers. And what little they do know is probably wrong.

You don’t leave your car unlocked and you don’t leave your safe open and your door wide for the world to see. So why do many people do the digital equivalent?  It is not because they don’t want to be safe, it is because they do not know how. If they did, most of the botnets would disappear and most of the stolen credit card black markets would dry up. If the administrators of the servers on the net payed the least attention to their jobs lulzsec would not even exist, and the only reason they had not been compromised already was sheer dumb luck.

In some twisted manner we have lulzsec to thank for bringing the reality of our situation to light.

Advertisements

Written by laurelaibailey

June 23, 2011 at 7:15 am

Posted in lulzsec

5 Responses

Subscribe to comments with RSS.

  1. “The media” is such a catch-all term.

    Not all elements of this strange and hydra-like creature reported Cleary as part of the Lulzsec leadership. I’m aware of several UK outlets that mentioned the teenager from Essex MAY have been involed with Lulsec on some level. Editors and journalists who believed in responsible reporting mentioned the fact and nothing else.

    Whilst a proportion of the media did indeed scream as if the digital bin Laden had been captured in an irresponsible fashion, it is equally as irresponsible for commentators to criticise the entire press and media.

    Other than that, some great points. Nice commentary.

    Frank

    June 23, 2011 at 9:47 am

    • Perhaps, but the ones who are screaming are the ones people hear, I personally didn’t come across any articles that seemed responsible, not to say they don’t exist, but that they were drowned out by the noise.

      laurelaibailey

      June 23, 2011 at 10:34 am

  2. Great article. Thanks for writing it. I’d encourage you to keep up this blog as it looks like it might turn out to be worth reading.

    Adam

    June 24, 2011 at 8:49 am

  3. I agree – great commentary. Your independent reviews are really thorough; which is just what I look for when we’re talking about such a juicy development 😄

    Gawker and BoingBoing keep their format tight and restrictive. I enjoy your clarity of speech.

    Wes Davis

    June 25, 2011 at 5:31 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: