How LulzSec Hackers Outsmart Security Gurus
While the world argues whether the hacktivist group is more Robin Hood or terrorist, the big question is: how have the hacks been so successful? Security experts share some answers.
Mischief makers, or hardened criminals? Cyber terrorists, or digital Robin Hoods? No matter your opinion of the "hacktivist" group that calls itself the Lulz Boat, or LulzSec for short, one thing is for certain: the band has been compromising websites at a seemingly unstoppable rate.
As defined by a 2008 hacker exposť, lulz means "the joy of disrupting another's emotional equilibrium." Without a doubt, numerous organizations are feeling disrupted, and appear to have been unprepared for LulzSec's attacks, including the U.S. Senate, game maker Bethesda Software (producer of such titles as Brink, Doom, and Quake), Sony BMG, security firm Unveillance, Nintendo, and the Atlanta chapter of FBI affiliate InfraGard. And that's just a partial list of the exploits published by LulzSec in June.
More Security Insights
- How Attackers Identify and Exploit Software and Network Vulnerabilities
- Getting a Grip on Mobile Malware
- The 451 Group Impact Report: Skybox Enters Vulnerability Management Space
- Skybox Security Vulnerability Management Survey
But why are attacks of this scale only happening now? There appears to have been a hacking tipping point, as this single group of hackers has exploited so many different websites with seeming abandon, all while detailing their exploits via Twitter and exposing reams of information via Pastebin and a bespoke releases site.
For starters, LulzSec seems smarter, and more prolific, than many of its predecessors because its members appear to be experts at hiding their tracks. Eric Corley, who publishes 2600: The Hacker Quarterly, has opined that 25% of hackers today are informants (a figure largely dismissed by security experts, who said that while the FBI would like people to believe that, it's most likely not true). If so, then LulzSec is all the more remarkable for not only having evaded arrest, but seeming to operate with impunity.
The group didn't spring, fully formed, out of nowhere. From an ethos standpoint, the band parallels other loosely affiliated hacking groups, such as GOBBLES, and more recently Anonymous (from which LulzSec is rumored to have arisen), said Jack Koziol, director of information security training firm Infosec Institute, in an email interview. Furthermore, its members evince both skill and patience.
"I would say these guys have been in the underground for many years," he said. "I believe them when they say they have a number of unpublished exploits. I would bet they go to cons [conferences], perhaps even present at them, and may have worked at security companies or still do work at security companies."
How does the group evade detection? "For sure they have a very sophisticated anonymization scheme that involves Tor as well as many compromised hosts in various countries to attack their targets, tweet, and upload torrents, etc. They probably never use the same anonymization scheme and proxy channel twice," said Koziol.
As that suggests, the group has been successful in no small part due to its members' technological savvy. "I would say they are probably using various reverse engineering tools to discover vulnerabilities, such as IDA Pro or OllyDbg. Perhaps they have their own fuzzer or source code analyzer built from scratch," said Koziol. "They are then weaponizing these newly discovered vulnerabilities by leveraging existing shellcode and memory-resident rootkits to pivot to internal systems."
LulzSec's ethos also explains, to an extent, the group's success, because it seems to have caught a number of organizations off guard. "These are 'old school' hackers hacking for fun and fame, rather than a financial motive," Koziol said. Indeed, the group focuses on embarrassing organizations it perceives to be unjust, unmasking false security experts, as well as simply finding targets that will bring them fame, he said. "They are riding the backlash against security companies, against white-hat grandstanding, and have a very strong anti-authoritarian theme running through their hacking as well as their published posts."
Accordingly, businesses that might have previously gotten away with skimping on security are now being called to account. "All sorts of systems that are not secured--as well as perhaps an Internet banking service or credit card processing application--are now fair game," said Koziol.
But hackers with altruistic motives or who target authority figures often lose that focus as they continue, said Rick Dakin, CEO and senior security strategist at Coalfire Systems, and also president of the Denver chapter of InfraGard. "Lulzsec is not yet associated with any damage to specific individuals," he said in an email interview. "Can Lulzsec be corrupted with financial gain? [It's] too early to tell."
Even if the group does move in that direction, however, businesses today need to rethink their risk management calculus, or face reputational roulette. "Companies will have to spend more to protect their reputation, with the same level of security as a bank protecting its online customers," said Koziol.
In other words, if businesses want to not get hacked by an outfit such as LulzSec, they need to start strengthening their systems, and it's not going to be an easy or inexpensive process. "This long-term change can only occur when business leaders understand the risk associated with processing and storing sensitive data. The CEO of Sony called it correctly by referring to a change in DNA," said Dakin.
Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.