Hackers Shift From Child’s Play To Serious Business
Cyber-attackers are hitting higher-profile targets for financial gain, for “hacktivist” causes or just for fun
Continued from page 1
The shift to data theft was even more pronounced as a group of six individuals, under the name of LulzSecurity, went on a hacking spree for 50 days from May to June this year. LulzSec went after various Sony properties to expose the poor security practices still prevalent after the massive PlayStation Network and Sony Online Entertainment breach in April.
In subsequent attacks, LulzSec breached insecure servers at various media and software companies to harvest user names and passwords. The group publicised the information by posting it on Twitter, sharing it on Pastebin or creating torrent files for download.
Changing tactics
While it continued to deface Websites (such as PBS.org and the Westboro Baptist Church) and launch DDoS attacks (on sites such as Britain’s Serious Organised Crime Agency and the United States Senate), LulzSec was increasingly stealing user data in the name of “lulz,” or entertainment. In its press releases publicising its attacks, LulzSec regularly chided government and big businesses for failing at basic security.
“What’s disturbing is that so many Internet users appear to support LulzSec as it continues to recklessly break the law,” said Chester Wisniewski, senior security adviser at Sophos.
The attack methods used by Anonymous and LulzSec “aren’t particularly sophisticated,” as they are using well-known methods and readily accessible penetration testing tools to find and exploit vulnerabilities, said Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. “Yet, they’ve managed to hit high-profile targets.”
“The one good thing coming from these hacktivist attacks is that they highlight the current state of security technology in organizations that are believed to have the highest level of security”, said Anup Ghosh, founder and chief scientist at Invincea.
Power without responsibility
LulzSec also blurred the line between exposing security issues and malicious activity, as the group came under fire for publicizing the personal information it had stolen after breaching Sony Pictures Entertainment and other targets. The individuals were victimized twice, first by having their accounts compromised and then by having their sensitive data leaked for other malicious parties to steal their identity.
“There are responsible ways to inform a business that its Website is insecure, or that it has not properly protected its data; you don’t have to put innocent people at risk,” pointed out Wisniewski of Sophos.
LulzSec and Anonymous also encouraged supporters to hack into, steal and publish classified government information from any source. On Twitter, various members claimed the attacks were necessary to expose the alleged lies and illegal activities governments were covering up.
Continued on page 3