commentary For the past 50-odd days a group calling itself LulzSec went on an Internet rampage, taking down government sites, compromising Web servers, posting police files and consumer data to the Web, and taunting a host of gaming companies and others. The hacking spree has come to an end--at least from that group, which announced Saturday that it was throwing in the towel. But has anything really changed?
Not really. Here's why:
First off, LulzSec is folding back into the group it spun off from: Anonymous. "We didn't 'run' we are in fact online @ irc.anonops.li," read a Sunday tweet from anonymouSabu, the account believed to belong to one of the core LulzSec members. "We retired lulzsec at its peak. We are smart."
Anonymous and LulzSec had announced a week ago that they were joining forces to target government agencies, banks, and other high-profile Web sites in an "AntiSec" campaign. And indeed, that campaign appears to be ongoing, with a Tunisian government site targeted today, according to The Hacker News.
"I don't see (the attacks) stopping anytime soon, to be truthful," said Boris Sverdlik, senior partner at Jaded Security Consulting, who's been following the attacks closely and writing about them on his blog. "I don't think (LulzSec) is going away. I think they'll be outed within a couple of weeks, and there will be arrests made, guaranteed."
Unmasking attempts began in earnest last week with a group calling itself TeamPoison releasing what it claims is the identity of Sabu, in what is known as a "dox," or a public release of documents containing personal data such as one's name and address. On Saturday, a group calling itself The A-Team posted information on 10 people believed to be members of LulzSec. LulzSec followed up with a dismissal of that information and a dox of its own. Later, TeamPoison released what it said were more LulzSec documents.
You can expect these outings to continue until more people start landing in jail. One person has been charged in connection with LulzSec activities: 19-year-old Ryan Cleary, who was arrested last week and released on bail earlier today. (To see a list of hacking attacks by LulzSec and others click here.) It's likely the arrest and the outings played a part in LulzSec's decision to call a halt to its activities so suddenly, especially given that the group on Friday had promised more antics for today. Investigators are probably hoping to get members to turn on their compatriots, knowing that the hackers have no doubt gone into cleanup mode, wiping incriminating data off their systems and encrypting their hard drives.
Meanwhile, peer-to-peer site The Pirate Bay removed LulzSec postings because one of the files in the group's final release on Saturday appeared to contain a virus, however it could have been just triggering false positives in anti-virus software. If it were a virus, just downloading the file wouldn't infect a system, but running the executable or using the associated USB key image would. And the Tech Herald reported today that some of the information in that LulzSec release may have come from an inside source at AT&T and that Cleary told the news site that back in May.
I would be lying if I said I won't miss the hacking theater that LulzSec created. But they're just the latest hackers to grab the headlines. Remember back to February 7, 2000. An outage on the largest Web site at the time, Yahoo, followed by distributed denial-of-service (DDoS) attacks that temporarily crippled the sites of eBay, Amazon.com, Buy.com, CNN.com, E*Trade, Datek, and ZDNet over the next few days had people worried that security concerns could hamper growth of e-commerce. A high school student with the nickname "Mafiaboy" bragged about the attacks in Internet Relay Chat rooms and was later arrested and everything went back to business as usual. There were computer attacks before then and there have been plenty since too.
But the world is different now. The teen hackers and script kiddies have grown up, many of them becoming security professionals, while real criminals have muscled online, churning out phishing attacks and creating an ecosystem based on trying to rob banks over the Internet. LulzSec with its roguish Twitter charm and pseudo-political message created a bit of the romantic sheen that made criminals like Bonnie and Clyde folk heroes to some.
The group argued somewhat tongue-in-cheek that they were doing the industry a favor by highlighting security weaknesses. But those Web site flaws aren't new; companies have been neglecting to address them since the dawn of Arpanet. LulzSec is like a band of bored and disempowered college graduates taking out their frustration about political and corporate corruption on easy targets. They may have entertained the masses and tormented the likes of Sony, but they didn't advance the cause of Internet freedom or tackle social and economic injustice like Johnny Long does with his Hackers for Charity.org.
Unfortunately, it will take more than some wanna-be cyberpunks poking holes in Web sites to prompt organizations to really fix their sites and protect consumer data. "We need to change the way we look at security, and the way we do threat modeling," said Sverdlik of Jaded Security. "Attacks will continue until the industry as a whole comes up with standards outside of the regulations, which are jokes because most companies do a minimum to adhere to them."
Until then, be prepared for more data breaches and DDoS attacks.
Updated June 27 at 11:10 a.m. PT to add that file in last LulzSec release may have triggered false positives from anti-virus.