Professionalism/Lulzsec
Lulzsec is a hacker group that appeared May 2011 starting a 50 day hacking spree that targeted companies and government organizations. During their spree they hacked over 100 websites and would often mock their targets from their Twitter page. Their twitter ended with 1328 tweets, many announcing hacks and throwing insults at hacked companies.[1] LulzSec used several simple techniques, but applied their attacks indiscriminately to many websites, finding many that were vulnerable.
Attacks
editLulzSec began their attacks in May 2011. Fox.com had 73,000 X-Factor contestant names leaked after the hip-hop artist Common was called “vile” on the air. Similarly, in a defense of WikiLeaks and Bradley Manning., LulzSec hacked the American Public Broadcasting System (PBS) website, and posted a fake story about Tupac Shakur and Biggie Smalls being alive and well in New Zealand. However, some of their hacking raised more eyebrows because it showed compromised user data. They released the transaction logs of 3,100 Automated Teller Machines in the United Kingdom.[8][43]
In June, a SQL injection attack on Sony’s user database was executed in response to Sony’s anti-jailbreaking lawsuit situation. LulzSec claimed to have acquired the included "names, passwords, e-mail addresses, home addresses and dates of birth for over 1,000,000 people."[56] Some 200,000 others had their information hacked at Bethesda Game Studios by LulzSec. [64] An attsack on Nintendo proved unfruitful, but following this theme, LulzSec said, "We're not targeting Nintendo. We like the N64 too much — we sincerely hope Nintendo plugs the gap."[62]
"It has now come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama [sic] have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it [...]."[73]
The attacks took on a different nature when responding to politics. The CIA, Senate, and FBI sites were the most high profile American targets of LulzSec. Government sites in China, Brazil, the UK, and Portugal were also targeted successfully. These attacks often came with a public statement of motive from LulzSec, usually a response to some unpopular policy or rhetoric, but there were instances like with the British National Health Service, where LulzSec’s attack was almost well-intentioned: "We mean you no harm and only want to help you fix your tech issues."[74]
Methods of Attack
editLulzsec used several simple methods to attack their targets.[2] One of their main methods was the Distributed Denial of Service Attack (DDoS) where they instruct a bank of computers under their control to repeatedly try and access a website, overloading that website’s servers. Such an attack does not give them any data or control over their target’s servers, but disrupts its ability to server legitimate users. To combat this type of attack, administrators can filter certain types of requests to their servers and buy more bandwidth and servers. Smaller businesses, however, may not have the resources to fight these types of attacks, especially if another company controls the servers hosting their website.[3]
Lulzsec used SQL injection attacks where an attacker includes specially formatted database query code data sent to the server.[4] If the website’s code does not properly sanitize inputs, this code can be executed, giving Lulzsec access to the targets database, including usernames, emails, passwords, credit card info, and other confidential information. A similar attack used by LulzSec is a Cross Site Scripting attack (XSS) where dirty data is saved, and then output as html/javascript code. XSS gives attackers the ability to run javascript on any user that views a page displaying the dirty data.[3] All modern web programming languages include ways to automate the sanitization of user inputs. Until the inputs have been sanitized, all user input should be regarded as unsafe to process.
Lulzsec used social engineering techniques to gain access to user information. They targeted users with easy to guess passwords (ex. ‘123456’) or users who used the same passwords across several accounts. They used phishing, where they made fake login pages and collected the passwords users entered into them.[5] To prevent this, companies can require more complex passwords and give passwords an expiration date. They can also educate their users about security concerns. To prevent phishing some websites have started adding secret phrases unique to each user, displayed on the log in page. If the phrase does not match the one the user chose, they know that the login page is phony. Lulzsec took advantage of targets who failed to update their software. They would inspect a software patch intended to fix a security flaw, reverse engineer the flaw then exploit it to take over systems that had not applied the patch yet. Administrators need only to keep their software up to date to prevent this attack. Software companies should ensure that they have automatic updates to software, that they notify users of patches, and that their patches are encrypted or obfuscated to prevent reverse engineering.
The simplicity of these attacks allowed Lulzsec to automate detection and attacks, so that they could probe hundreds of websites for these vulnerabilities. This could explain how they executed so many attacks in a short period of time.[6]
Professionals?
editOn March 6, 2012, Sabu was revealed to be Hector Xavier Monsegur, a 28-year old, unemployed[1] New York City man. Federal agents arrested and persuaded Monsegur to become an informant for the FBI and to continue his "Sabu" persona, to which he agreed.[17][18] Monsegur provided the FBI with information enabling the arrest of seven hackers associated with the groups Anonymous, Lulzsec and Antisec.[19][20]
Monsegur maintained his pretense until March 6, 2012, tweeting his "opposition" to the federal government until the end. Some of Monsegur’s last tweets included, "The feds at this moment are scouring our lives without warrants. Without judges’ approval. This needs to change. ASAP" and "The federal government is run by a bunch of fucking cowards. Don't give in to these people. Fight back. Stay strong".[19]
Monsegur is perhaps the best example LulzSec has to offer as someone who raises professionalism questions. His skill at hacking, as well as his enjoyment of it suggest that this is indeed his calling. However, motivation for "hacktivism" is suspect, and in order to achieve success in this arena, one operates outside the law. It is only through anonymnity that Monsegur (Sabu) and others can do this sort of work. But are they using their "ring of Gyges" for good? Are these "for the Lulz" motives sufficient for a professional, or are they more indicative of a child? Would a professional not then owe something to his colleagues? Sabu sold LulzSec to the FBI. Does this make him less of a hacktivist?
LulzSec's other members would say yes. But they themselves were initially seeking to out the unproffessionalism of data storage providers through their actions. In both Sabu's case and the companies and organizations LulzSec attacked, some level of professionalism is lacking in the way of loyalty. Loyalty, either to colleagues or clients, is a key aspect of professional conduct, and its deficiencies stand out as professional shortcomings in this case study.
Lessons
editLulzSec embarrassed many big companies. The attacks they used could have been undertaken by anyone with a few months of computer science knowledge. In this case they were undertaken by several teenagers and young adults trying to make a point. The LulzSec case was a failure of many companies to recognize that IT is a profession that requires experts. Companies should learn from this that their security is only as strong as its weakest link. They need to implement and enforce company-wide security protocols for their employees and their users. They need to mandate hard to guess passwords for every user, along with password expiration dates. They need to ensure that their IT staff has a deep understanding of security and those staff need to make sure that non-experts are following security protocols. Companies need to implement filtering to prevent DDoS attacks. If they don’t manage their own websites, they need to make sure they hire companies that follow these rules. Companies need to keep their software up to date. Software designed for non-experts must be designed by security experts, and must require secure practices. Most importantly, companies need to recognize the importance of cyber security in this day and age. Cyber threats pose a significant risk for companies' image and profits. Had LulzSec used their attacks for profit, many people could have been stolen from.
References
edit- ↑ [1]"The Lulz Boat (LulzSec) on Twitter".
- ↑ [2], "Twitter/LulzSec". June 20, 2011.
- ↑ a b [3] "Tech Republic Blog: DDos Attack Methods and How to Prevent of Mitigate Them". October 2012.
- ↑ [4], "Twitter/LulzSec". June 19, 2011
- ↑ [5] "Twitter/LulzSec". May 9, 2011
- ↑ [6] "Learning from LulzSec: For hackers, automated attacks reign". July 2011.