Security Analyst Explains Why We Love Lulzsec

 Pages 1 2 3 4 NEXT
 

Security Analyst Explains Why We Love Lulzsec

image

Patrick Gray of the Risky Business security podcast says many internet security professionals "secretly love" the ongoing antics of hacker group Lulzsec because it's forcing the public to come to grips with the sad state of online security.

The hacker collective that calls itself Lulzsec has made an awful lot of noise in recent days, hacking Sony, Nintendo, PBS and the security firm Black & Berg. The last attack came in response to a challenge from senior security consultant Joe Black, who offered a prize of $10,000 and a job with his company to anyone who could do it. By all appearances the group was able to pull off the attack with relative ease, but it nonetheless declined the prize. "Done, that was easy," it wrote in a message that, at last check, was still on the site. "Keep your money, we do it for the lulz."

Victims of such attacks probably don't find it very funny but according to Gray, it's not just "the Internetz" who are having a laugh watching Lulzsec do its thing. "It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts," he wrote in an article entitled "Why We Secretly Love Lulzsec."

"For the last ten years I've been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a shitty idea," he continued. "No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak."

But where op-eds and consultancy papers have failed, the very public beat-down delivered to the PlayStation Network in April has, at least in terms of attracting attention, been a smashing success. For those who have been preaching to empty houses about the need for tighter online security, that's great news.

"Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying, 'LOOK AT THE GIGANTIC F*CKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!'" he wrote. "There is no security, there will be no security. The horse has bolted, and it's not going to be the infrastructure that's going to change, it's going to be us."

He noted that the popular response to the PSN attack has been to heap scorn upon Sony but claimed that such an attack could, and still can, happen to anyone. He also pointed out that "state-sponsored hackers, likely Chinese," have even been able to break into networks belonging to major U.S. military-industrial corporations and make off with sensitive information.

"LulzSec is running around pummeling some of the world's most powerful organizations into the ground... for laughs! For lulz! For shits and giggles!" he added. "Surely that tells you what you need to know about computer security: there isn't any."

As for "senior security advisor" Joe Black, his day just kept getting worse. The attention drawn to his site by the Lulzsec attack led to the rather awkward revelation that Black is, to put it bluntly, a fake. "Attrition.org broke a story back in February on how Joe Black has used social media to create his 'Security God' image. Needless to say, they debunked the entire image," the Jaded Security website reported. "Unfortunately, real security guys are the only ones who actually read Attrition, and Joe Black was able to continue in his path to self-proclaimed 'Security God'." The site noted that while Black claims to be working on his Masters in Security Management, he actually withdrew from every course he was enrolled in back in January 2009, and there are also some apparently-important security certifications missing from his CV.

That's some pretty serious lulz right there.

Permalink

So basically, we should look at all that Lulzsec is doing, and be happy that they are doing it for lulz, as anybody else could be doing it with far more evil intentions...

Well, im not going to be as annoyed by stories of these guys anymore...

As for "senior security advisor" Joe Black, his day just kept getting worse. The attention drawn to his site by the Lulzsec attack led to the rather awkward revelation that Black is, to put it bluntly, a fake.

Score another point for the dapper gentleman in the monocle.

Yes Yes Yes. So far Lulzsec has embodied true hacker ethos. They will wreck a company's shit but not to steal or hurt customers. Instead they just prove that they can break the system. In the long run hackers like these make the systems we use more secure and I am glad to see that some security professionals get it.

We love LulzSec? No I don't. They can fall in a pit of snakes.

I do not find his reasoning persuading me. I still find Lulzec kind of immature, for I am a highly sophisticated and preserved citizen, huff huff.

But seriously, they are just... Posers to me.

So that's why I am having such a laugh at all of this. I'm in college for IT security. I guess this means I'll have a job open to me when I finish. :)

It sucks to see customers of these business suffer, and I know it doesn't seem like it, but trust me when I say it's for the greater good. Wouldn't you rather know your data is secure rather than trust a company that doesn't even have an operating firewall? I know I would.

Take this with a grain of salt if you must, but there are a few easy ways to protect yourself from hackers even when these companies can't.

Step 1: Always use HTTPS in your browser rather than HTTP. Most sites don't use SSL certificates (which is retarded, sorry Escapist, looking at you), but utilizing the sites that do use them is best.

Step 2: NEVER, I repeat, NEVER use your day to day credit card for online transactions, ever. Go out and get a prepaid credit card if you must purchase something online.

Step 3: I wouldn't trust online banking with my name, let alone my account numbers. Avoid it at all costs. If you must use it, only use it at home (you never know who is running Wireshark over wifi), but don't expect these banks to keep your data safe.

Only YOU can protect YOU. If you think all of these companies give a fuck about anything more than their bottom line, you are delusional.

Seems like someone's trying too hard to get noticed really.

At least some are catching on. In light of the recent focus on 'cyberterrorism', the cyberwarfare branch of the Ministry of Defence are one of the few areas where funding is not only safe but is also likely to be increased in the near future.

Jonny49:
In a way this reminds me of a play I did for drama, Accidental Death of an Anarchist. Probably because of the shits and giggles lulzsec seem to get from doing stuff to annoy people.

I can see his point, but that doesn't mean I dislike them any less for the PSN outage.

FYI Lulzsec != Whoever did the PSN attack. At least they are most likely different groups.

See, the thing about security is; If people didn't do illegal things and break into places they aren't supposed to be in, to take things that aren't theirs, we wouldn't need security.

Patrick Gray was way off on his idea why I'm a fan of Lulzsec, but that's just his guess.
Personally I just like the fact that there's these people out in the information world just wreaking havoc with big companies. How many people get messed with every day by these businesses?
It's almost like the new Robin Hood, except instead of stealing money from the rich and giving to the poor it's just petty revenge and lulz.

I agree with Mr. Gray. If people are entrusting their personal info to companies, said companies better damn well make sure it's as secure as possible. Hopefully this will also get the general public to take online security seriously (no more using the same password for every login, etc).

What I'm not hopeful about is company execs taking this as a more serious issue. Most likely they'll whine to legislatures and bribe (aka: "lobby") to get more draconian legislation passed.

puffenstuff:

Jonny49:
In a way this reminds me of a play I did for drama, Accidental Death of an Anarchist. Probably because of the shits and giggles lulzsec seem to get from doing stuff to annoy people.

I can see his point, but that doesn't mean I dislike them any less for the PSN outage.

FYI Lulzsec != Whoever did the PSN attack. At least they are most likely different groups.

I swear I read somewhere they took responsibility for it...

I might just be going crazy.

See everyone loves them, cuz it's all about the lulz :P

They got into the NHS systems a couple of days ago, apparently, and just left a load of messages saying "We're here, and we shouldn't be. Fix your stuff' Or words to that effect.

http://www.bbc.co.uk/news/technology-13712377

Jonny49:

puffenstuff:

Jonny49:
In a way this reminds me of a play I did for drama, Accidental Death of an Anarchist. Probably because of the shits and giggles lulzsec seem to get from doing stuff to annoy people.

I can see his point, but that doesn't mean I dislike them any less for the PSN outage.

FYI Lulzsec != Whoever did the PSN attack. At least they are most likely different groups.

I swear I read somewhere they took responsibility for it...

I might just be going crazy.

Not entirely crazy. Lulzsec did the attack on Sony Pictures in the wake of the PSN fiasco but was not, to the best of my knowlege, involved in the PSN outage.

As a gray hat myself I find the problem lying with the security companies people hire. They charge a company a couple thousand to do an Nmap maybe some pen testing and take a look at some firewalls. When what they need is a whole lot more... They need Truecryption...They Need constant Cain&Able monitors...and they need monthly pentesting. They need to find theyre vulnerabilities and patch them ASAP! Not this lets wait 2 months to patch and then pull the network online....oh wait we have a map of all the exploits now too late rebuild it.

Everyone is looking to cut back on hiring professionals and offer 8 dollar an hour jobs. This is the one feild where THEY CANNOT CUT IF THE EXPECT TO CONTINUE TO OPERATE AS A BUSINESS.

~ Y0DA
Designing Security Solutions for the medical Industry Since 1999.

-Samurai-:
See, the thing about security is; If people didn't do illegal things and break into places they aren't supposed to be in, to take things that aren't theirs, we wouldn't need security.

You go ahead and tell people who do crimes not to do them anymore and see how that works out.

The world isn't flowers and butterflies. The people who tend to do this sort of stuff are the down and out individuals in third world countries, which, if they can steal your information to buy a product and resell it, means they'll get to eat a decent meal for a week or so or pay rent so they don't have to live in the streets. Same goes for most of the people who commit physical crimes. It is their last option.

Fwee:
Patrick Gray was way off on his idea why I'm a fan of Lulzsec, but that's just his guess.
Personally I just like the fact that there's these people out in the information world just wreaking havoc with big companies. How many people get messed with every day by these businesses?
It's almost like the new Robin Hood, except instead of stealing money from the rich and giving to the poor it's just petty revenge and lulz.

I dunno, why don't you tell me how many people get messed with every day by Sony?

Low Key:

-Samurai-:
See, the thing about security is; If people didn't do illegal things and break into places they aren't supposed to be in, to take things that aren't theirs, we wouldn't need security.

You go ahead and tell people who do crimes not to do them anymore and see how that works out.

The world isn't flowers and butterflies. The people who tend to do this sort of stuff are the down and out individuals in third world countries, which, if they can steal your information to buy a product and resell it, means they'll get to eat a decent meal for a week or so or pay rent so they don't have to live in the streets. Same goes for most of the people who commit physical crimes. It is their last option.

And what part of any of that applies to groups like Lulzsec or Anon?

Interesting take on this, actually... Lulzsec seem to be basically ad-hoc 'white' hackers, hacking into big databases and informing companies that they're security is flawed so they can fix it.

Oh, also, Lulzsec also recently hacked into the NHS (National Health Service - the British health system) database apparently. Said they "stumbled upon" the admin passwords and stuff, though they didn't steal anything. Just thought I'd point out another example. ;P

zehydra:

Fwee:
Patrick Gray was way off on his idea why I'm a fan of Lulzsec, but that's just his guess.
Personally I just like the fact that there's these people out in the information world just wreaking havoc with big companies. How many people get messed with every day by these businesses?
It's almost like the new Robin Hood, except instead of stealing money from the rich and giving to the poor it's just petty revenge and lulz.

I dunno, why don't you tell me how many people get messed with every day by Sony?

I was asking the question, which kind of implies I don't know the answer.
I'm not one of those who asks a question just so they can come up with the prepared answer.

-Samurai-:

Low Key:

-Samurai-:
See, the thing about security is; If people didn't do illegal things and break into places they aren't supposed to be in, to take things that aren't theirs, we wouldn't need security.

You go ahead and tell people who do crimes not to do them anymore and see how that works out.

The world isn't flowers and butterflies. The people who tend to do this sort of stuff are the down and out individuals in third world countries, which, if they can steal your information to buy a product and resell it, means they'll get to eat a decent meal for a week or so or pay rent so they don't have to live in the streets. Same goes for most of the people who commit physical crimes. It is their last option.

And what part of any of that applies to groups like Lulzsec or Anon?

You mean two groups out of the potential tens thousands of malicious hackers out there? Yeah, you better work on another argument.

I did a report on cyber security right before the PSN outage. This pisses me off, I could have used LulzSec in my paper :(

People love them? I hate them. Especially if they put an elephant's trunk in my coffee.

Low Key:
So that's why I am having such a laugh at all of this. I'm in college for IT security. I guess this means I'll have a job open to me when I finish. :)

It sucks to see customers of these business suffer, and I know it doesn't seem like it, but trust me when I say it's for the greater good. Wouldn't you rather know your data is secure rather than trust a company that doesn't even have an operating firewall? I know I would.

Take this with a grain of salt if you must, but there are a few easy ways to protect yourself from hackers even when these companies can't.

Step 1: Always use HTTPS in your browser rather than HTTP. Most sites don't use SSL certificates (which is retarded, sorry Escapist, looking at you), but utilizing the sites that do use them is best.

Step 2: NEVER, I repeat, NEVER use your day to day credit card for online transactions, ever. Go out and get a prepaid credit card if you must purchase something online.

Step 3: I wouldn't trust online banking with my name, let alone my account numbers. Avoid it at all costs. If you must use it, only use it at home (you never know who is running Wireshark over wifi), but don't expect these banks to keep your data safe.

Only YOU can protect YOU. If you think all of these companies give a fuck about anything more than their bottom line, you are delusional.

Dude, awesome post, thanks. Any more tips?
Just out of curiosity, I'm no web developer, what's the difference between HTTPS and HTTP?

He gives the public too much credit.
I'm a network security professional by trade; I don't have any particular love for hacker groups, primarily because it introduces more and more legal burden as time goes on.

Low Key:

-Samurai-:

Low Key:

You go ahead and tell people who do crimes not to do them anymore and see how that works out.

The world isn't flowers and butterflies. The people who tend to do this sort of stuff are the down and out individuals in third world countries, which, if they can steal your information to buy a product and resell it, means they'll get to eat a decent meal for a week or so or pay rent so they don't have to live in the streets. Same goes for most of the people who commit physical crimes. It is their last option.

And what part of any of that applies to groups like Lulzsec or Anon?

You mean two groups out of the potential tens thousands of malicious hackers out there? Yeah, you better work on another argument.

We're not talking about those groups, are we? We're talking about the ones that have a large amount of ignorant supporters. The ones that have a news article about them on this site nearly every day.

You can't justify their actions.

LoL, security doesn't exist, that is the reference to a security blanket. It feels safe, but it can't protect you from anything.

If someone wants your stuff, they can get it, all that matters is the amount of moral crimes they are willing to commit to get it.

Anyone who thinks you are safe is a ignorant, no matter how many rules or laws exist to keep you that way, you can't stop them if they have the will to make it happen.

He is right though, the smartest thing would be to not put your private information out there. That is the social change that he is surely talking about.

Traun:

Low Key:
So that's why I am having such a laugh at all of this. I'm in college for IT security. I guess this means I'll have a job open to me when I finish. :)

It sucks to see customers of these business suffer, and I know it doesn't seem like it, but trust me when I say it's for the greater good. Wouldn't you rather know your data is secure rather than trust a company that doesn't even have an operating firewall? I know I would.

Take this with a grain of salt if you must, but there are a few easy ways to protect yourself from hackers even when these companies can't.

Step 1: Always use HTTPS in your browser rather than HTTP. Most sites don't use SSL certificates (which is retarded, sorry Escapist, looking at you), but utilizing the sites that do use them is best.

Step 2: NEVER, I repeat, NEVER use your day to day credit card for online transactions, ever. Go out and get a prepaid credit card if you must purchase something online.

Step 3: I wouldn't trust online banking with my name, let alone my account numbers. Avoid it at all costs. If you must use it, only use it at home (you never know who is running Wireshark over wifi), but don't expect these banks to keep your data safe.

Only YOU can protect YOU. If you think all of these companies give a fuck about anything more than their bottom line, you are delusional.

Dude, awesome post, thanks. Any more tips?
Just out of curiosity, I'm no web developer, what's the difference between HTTPS and HTTP?

HTTPS means that particular site is using SSL (secure socket layer) certificates, just another layer of security.

In laymen terms, it means that the only parties who can see what you are typing in, say for instance on Google, are you and Google. No one else. Essentially, SSL creates an encrypted tunnel between you and the website you are on.

If you are running Firefox, you can install an add-on that automatically uses HTTPS instead of HTTP on sites that have SSL certificates. Here's a link: https://www.eff.org/https-everywhere

DustyDrB:
We love LulzSec? No I don't. They can fall in a pit of snakes.

Someone was going to hack these places at some point.

Better someone doing it for a laugh and teaching these companies a lesson than someone out to steal everything you've ever owned and eat your pet puppy.

I wouldn't be surprised if soon news starts spreading, about the "global war on cyber-terrorism", and how most countries in the world will be enforcing legislations, to "protect us" from the dangers of the internet......

...by restricting our access and controlling what we do.

-Samurai-:

Low Key:

-Samurai-:

And what part of any of that applies to groups like Lulzsec or Anon?

You mean two groups out of the potential tens thousands of malicious hackers out there? Yeah, you better work on another argument.

We're not talking about those groups, are we? We're talking about the ones that have a large amount of ignorant supporters. The ones that have a news article about them on this site nearly every day.

You can't justify their actions.

As far as I know, Anonymous has never been in it for personal data nor have the published anything of the sort. I know Sony is saying something different, but their story has changed so many times since this all started. They are just trying to cover their asses so their stock stops plummeting.

LulzSec on the other hand, have published others' personal data, but the majority of their work has been breaking into high profile websites to prove the state of security amongst them is utter shit. While I don't support the theft of personal data, I do in fact support the cracking of websites to send a message that the bottom line of multi-million/billion dollar corporations should include the security of their customers data.

Ultimately, both groups are in better standing with me than say some random hacking group from some random Eastern block nation that does a hit and run on a website purely for profit. Identity theft is the largest crime being committed today. You may not have been affected yet (yet is the keyword), but chances are it WILL happen to you and assure you that neither Anonymous or LulzSec will be behind it when that time comes.

puffenstuff:
Yes Yes Yes. So far Lulzsec has embodied true hacker ethos. They will wreck a company's shit but not to steal or hurt customers.

I think there's some PSN customers who'd disagree with you.

 Pages 1 2 3 4 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here