Government // Cybersecurity
News
6/16/2011
10:11 AM
Connect Directly
RSS
E-Mail
50%
50%

LulzSec Claims Credit For CIA Site Takedown

The hacking group said it rendered the CIA's public website inaccessible and launched phone DDoS attacks on FBI's Detroit office and other groups suggested by followers.

The hacking group LulzSec, aka the Lulz Boat, on Wednesday claimed to have rendered the CIA's public website inaccessible.

"Tango down - cia.gov - for the lulz," said a tweet on the LulzSec Twitter feed. ("Tango down" is a phrase from the Tom Clancy videogame Rainbow Six, uttered after an enemy's been killed.) For at least part of the day, the CIA website couldn't be reached, or was only sporadically accessible. Some Internet watchers said the site could have been unreachable simply because LulzSec tweets led so many people to try and access the site at once, leading to its becoming slashdotted.

But LulzSec claimed to have used a distributed denial of service (DDoS) attack. "People are saying our CIA attack was the biggest yet, but it was really a very simple packet flood," said a LulzSec tweet.

That apparent attack--according to news reports, the CIA said it's still investigating--followed the group's requests, earlier in the day, for suggested targets. As part of that campaign, the group also released a phone number, which it rerouted for "phone DDoS" attacks. "Our number literally has anywhere between 5-20 people ringing it every single second. We can forward it anywhere in the world. Suggestions?" said a LulzSec tweet.

Suggestions in hand, LulzSec launched phone DDoS attacks against a website that manufacturers custom magnets, the customer service lines for massive multiplayer online game EVE Online and World of Warcraft, and the FBI's Detroit office.

Further continuing in that vein, LulzSec apparently hacked the CIA to impress a Twitter user, Quadrapodacone, who had lambasted the group for only attacking "soft targets" such as PBS and Nintendo, noted Gawker. "Stop calling yourself hackers, you're giving real hackers a bad name," Quadrapodacone said. "Here's a challenge ... fbi.gov or cia.gov try changing text or something." (Both sides of the exchange now appear to have been deleted from Twitter.)

LulzSec's DDoS attack against the CIA followed the group's breach of an FBI-affiliated InfraGard membership database, the contents of which it posted online. The group has similarly targeted Sony and the PBS website, amongst other organizations.

If using DDoS to render websites sounds familiar, that's because the "hacktivist" collective known as Anonymous--from which LulzSec is rumored to have originated--used such attacks as part of Operation Payback. That campaign targeted organizations perceived to be unfriendly to WikiLeaks. According to security experts, DDoS attacks can be easy to launch, but quite difficult to counter.

Beyond this DDoS attack, LulzSec's overall success at breaking into websites seems to stem from poor preparation on the part of targeted organizations, including government agencies. Security experts also suspect that the group's members have been part of the hacking underground for some time, and have the skills and savvy to hide their tracks.

Public opinion over LulzSec's activities appears to be quite divided, with online comments on the group's activities ranging from "it's not real hacking" to comparing LulzSec's CIA website takedown to "a cat with a yarn ball."

According to a poll conducted by antivirus vendor Sophos on its website, 43% of more than 1,500 respondents said they disapprove of what LulzSec is doing, 40% approve, and 17% think it's funny--but they don't approve.

"While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are--in the worst cases--having their personal data exposed," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "There are responsible ways to inform a business that its website is insecure, or that it has not properly protected its data. What's disturbing is that so many Internet users appear to support LulzSec."

Furthermore, he said, "in case anyone's in any doubt, a denial of service attack, like that which appears to have hit the CIA website, is against the law."

In the new, all-digital Dark Reading supplement: What industry can teach government about IT innovation and efficiency. Also in this issue: Federal agencies have to shift from annual IT security assessments to continuous monitoring of their risks. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.