Posted on | June 20, 2011 | add a comment
USA TODAY, 20June2011, P1B
LulzSec, the upstart hackitivist group, was busy over the weekend. First, it disavowed responsibility for the hacking of video game company Sega. In fact it added a new twist by offering to help Sega (once long ago a big name in video games) track down the perpetrators.
Related story: Who’s who in LulzSec
Essentially, LulzSec and Anonymous have just declared open cyberwarfare against big governments and giant corporations. An excerpt from LulzSec’sÂ declaration:
Welcome to Operation Anti-Security (#AntiSec) – we encourage any vessel, large or small, to open fire on any government or agency that crosses their pathâ€¦Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments.
The rapid ascension of the hacker group LulzSec, if sustained, could signal a revival of cyberattacks carried out primarily to humiliate companies and government agencies.
“We’ve got some very powerful hackers apparently showing the world they’re powerful enough to break into any organization they want to,” says Josh Shaul, CTO at Application Security. “So why are they doing that? The best answer is because right now they can. And who knows what they’re setting themselves up to do in the future.”
After twice disrupting the U.S. Senateâ€™s website last week, then knocking the CIA’s website off line, LulzSec on Friday issued a press release via Twitter declaring: “This is the Internet, where we screw each other over for a jolt of satisfaction.”
It’s no idle rant. LulzSec — which appears to have splintered from the renowned hacktivist group, Anonymous — has also successfully hacked Sony several times, as well as the FBI, Fox, PBS, Nintendo and others.
The Sony hacks stemmed from the entertainment giant suing a young hacker, George Hotz, for reprogramming his PlayStation 3 gaming console; the PBS hack followed the network’s airing of a Frontline documentary LulzSec deemed unfair to WikiLeaks, the anti-secrecy group.
According to its press release, LulzSec is not seeking criminal profit nor participating in cyber espionage. â€œWe do things just because we find it entertaining.” The group’s name is a play on LOL (laugh out loud) Security. It issues bombastic press releases, produces animated videos, and uses a mustachioed cartoon character as a logo.
“The organizations have mostly been targeted for political reasons and the data release or defacement is to display scorn for and humiliate the target,” says Kurt Baumgartner, senior researcher at Kaspersky Lab. “SometimesÂ they claim they like the games too much and the hack is for pure sport. In other words, they feed on the public attention for their activity and are fairly eccentric.”
Yet behind the surface frivolity lies a smootth running campaign orchestrated by highly-skilled programmers and creative multi-media artists, security analysts say.
The group maintains an impregnable website, lulzsecurity.com, where it posts data stolen as part of its escapades. Indeed, on Friday the group posted 62,000 random e-mail and social network account logons — with passwords. In the accompanying statement, LulzSec appears to encourage folks to use the logons to access the accounts and play practical jokes on the account holders.
“Itâ€™s a good reminder that we need to use strong passwords for all of the online systems that are important to us,” says Shaul.
Groups like Anonymous and LulzSec are viable due to a confluence of developments, says Michael Sutton, vice president of research at security firm Zscaler. Role-paying video games and social networking has made collaborating with complete strangers second-nature; powerful, easy-to-use hacking and hiding programs are readily available; and corporations haven’t kept up, he says.
â€œAnonymous and LulzSec are determined and they have ignificant numbers,â€ says Sutton. â€œAnd when attackers band together with a common goal they often succeed.â€
As hacktivist groups rise in profile, copycats will likely emerge, says Marcus Ranum, chief security officer of Tenable Network Security. “That’s part of the transition were seeing,â€ says Ranum. “There’s a tremendous amount of resentment against this idea that corporations own the Internet.â€
Frank Kenney, VP of Global Strategy at Ipswitch, says the more active the hacktivists become, the more likely some of them will be caught — and be made an example of.
“When you impede the ability of a company to make money, when you put up a web site and start to have Twitter feeds, you start to leave enough breadcrumbs,” says Kenney. “This could lead to a very high-profile, I’m-going-to-make-an-example-of-you type of prosecution.”
Meanwhile, organizations would do well to keep LulzSec and Anonymous on their radar screen, says Mike Paquette, chief strategy officer at Top Layer Security.
Opines Paquette: “In general, if your organization has information that could be considered valuable by any group, or is doing anything that may be considered controversial amongst any constituent or affected community, and youâ€™re not prepared for a cyber response, youâ€™re probably not taking this seriously enough.”