So Long, and Thanks for All the Lulz

by Chris Perry

On June 26th, the Anonymous hacker group Lulz Security—formed in May 2011, and known as LulzSec—ended their 50-day reign of (sort of) terror and voluntarily shut down their operations. LulzSec victims included PBS, whose site was defaced in retaliation for a negative portrayal of WikiLeaks; CIA.gov, which was taken down for a couple of hours by a DDoS attack; and Senate.gov. Though there was no explanation given for this abrupt end beyond “our work here is done,” speculation is that the group is disbanding because of leaked personal details and increased attention by various national authorities.

(LulzSec is not to be confused with the also-anonymous hacking group, Anonymous, or with any of the myriad of other groups that have taken it upon themselves to take LulzSec out.)

While definitely brazen and vocal, the exploits of LulzSec weren’t as slick, from a technical standpoint, as you would gather from much of the coverage. DDoS attacks are relatively easy to perpetrate and much more akin to beating something with a sledgehammer than cat burgling. The botnets required can either be rented for about $200 or outsourced to like-minded individuals that congregate in IRC chat rooms such as 4chan (as was done to Tumblr, Amazon, Paypal, and the Swiss bank PostFinance). 



As for those actions in which database security was compromised and data stolen—you can chalk that up to the dismal state of information security. The vulnerabilities of various components that make up the Web are well documented. In fact, you can google the tools and techniques needed for exploiting many of these holes. There is even an open-source product meant as testing software for security professionals called Metasploit that has out-of-the-box packages for finding and exploiting vulnerable systems. 



The truth of the matter is this: very few companies and organizations are prepared to fully fund the security efforts needed to fix these flaws. You may worry that if the CIA isn’t concerned about network security, then who is.  But the CIA.gov site is the public portal, and doesn’t really contain any valuable data.  It’s a PR nightmare for sure, but not really of any operational significance for the agency. (As an interesting aside: it seems that the attack on CIA.gov was precipitated by another hacker saying DDoS attacks were not hacking, and that LulzSec should prove their credentials. Which they did…by launching a DDoS attack.)



LulzSec has taken this lack of security to logical conclusion by combining non-technical hacking with anonomyzing applications such as Tor and proxy browsing. This leaves very little in the way of accountability, and makes it extremely difficult to prosecute these shenanigans.



This becomes particularly problematic for two reasons. First, there is so much personal information out there that is relatively unsecured. One of the LulzSec data dumps consisted of 62,000 username/password combinations hacked from an undisclosed website. These weren’t even hacked directly by LulzSec, but instead found on file sharing forums. And because so many of us recycle our combinations, there is the strong likelihood that if you have the keys to one site, you have the keys to many. Internet security professionals have been harping on this for years, with little luck getting the lesson to stick. 



The second problem is that the LulzSec folks were relatively small-time hackers who did a lot with relatively little in the way of skill. Security has become so lax overall that hacking can be learned with a Google search. This will be increasingly problematic going forward, as there is a proliferation of both criminal networks mining data and after-school hackers who are in it for the lulz.