Activism and ‘Lulz’ Motivate Latest Rash of Hacks
Two prominent hacker groups, Anonymous and LulzSec, have ignited increasing concern over computer security by staging spectacular attacks and data heists against large corporations and government websites. The two groups have pulled off more than 30 attacks in the past two months, taking down websites belonging to the U.S. Senate and the CIA, humbling the gargantuan company Sony, and compromising nearly 2 million user logins and IDs across the Web.
Security experts warn that the hacks will continue thanks to a reemergence of predominantly young male computer users attracted to hacking for a cause and swapping bragging rights about their exploits online. So far, most members of the two hacking groups have remained in the shadows. The groups have no central leadership and no formal structure. (LulzSec officially disbanded in June.) Security experts describe groups such as Anonymous as an "idea," not a group.
Despite the lack of hacker organization, law enforcement hasn't stopped trying to put an end to hack attacks. Law enforcement in the United Kingdom, the Netherlands, Spain, Turkey, and the United States have made dozens of arrests and conducted searches as part of various hack attack investigations. For example, in late June, U.K. police arrested 19-year-old Ryan Cleary, who is accused of distributing tools to build a botnet that LulzSec used to attack the U.K. Serious Organised Crime Agency (SOCA).
Perfect Storm for Hack Attacks
Reformed hacker turned private security consultant Michael Calce says a combination of bad security, the availability of easy-to-use and increasingly sophisticated hacker toolkits, and social networking sites create a perfect storm for many of today's hackers.
"When I was hacking, it was about testing the status quo, ego, and who's the best hacker," Calce says. "Today, it's about monetary gain or activists trying to make a point." Under his online alias "Mafiaboy," Calce was responsible for a string of denial-of-service attacks in 2000 that crippled the websites of Amazon, CNN, Dell, eBay, Etrade, and Yahoo. Calce has since written a book about his exploits that is due to come out in the United States this August.
From Ego to Hack-tivism
Calce says today's hacks have a familiar flair but lack the ego-driven chest-beating of individual hackers he remembers circa 2000. Today's hackers still use online personas such as Sabu and Topiary, but the majority operate under umbrella organizations such as Anonymous, AntiSec, Gnosis, LulzSec ('lulz' is online slang for 'laughs' and 'Sec' stands for security), and Script Kiddies. Their objectives, it's believed, are to raise awareness about security issues and protest what it views as wrong.
Last December, Dutch authorities arrested 19-year-old Martijn Gonlag, who is believe to be part of the Anonymous hacking group. Gonlag was arrested for what he told authorities was a "digital sit-in" when he hacked computer systems, claiming it was in support of WikiLeaks.
Before that, Sony was hit in a string of attacks by hackers who stole 100 million online video-game users' personal data. The attacks were sparked by what hackers say was heavy-handed legal action against George Hotz, who was accused of jailbreaking a Sony PlayStation console.
The roots of these attacks and other so-called hacktivist actions date back to 2008 when Anonymous attacked the Church of Scientology to protest the religious group's attempt to control information about itself online.
Since LulzSec broke up, members of the group and others have formed a new hacker collective of sorts called AntiSec that as recently as June 30 dumped names, addresses, email mssages, and other personal data belonging to Arizona state police. Then, on July 4, another group calling itself the Script Kiddies took over a Fox News Twitter account and falsely reported that President Obama had been shot and killed. The following day, Anonymous and members of the AntiSec hacker group released hacked data from the Florida voting system and personal details of Orlando-area Democrats. Perhaps this was the best the hackers could do to fulfill their promise to retaliate against the June 6 arrest of members of Food Not Bombs in Orlando.
Next: How hackers work the media, and more.
A Warped Silver Lining
The only silver lining, experts say, is that hackers are drawing attention to security vulnerabilities and not exploiting them silently.
LulzSec claimed its scourge of hacks was meant to draw attention to vulnerable computers, while the new AntiSec movement hopes to expose corruption. Craving that type of visibility contrasts with other hackers who pride themselves on stealth intrusions and perpetrate corporate espionage, maintain ransom-ware schemes, and steal credit card data.
(See PCWorld's 2005 series Web of Crime.)
"Before, there was more of a criminal element involved so it wasn't publicized as much. It wasn't as if all of a sudden websites became vulnerable," says Chris Wysopal, cofounder and CTO of applications security firm Veracode.
Hackers Work the Media
Things have changed. Wysopal says recent data heists have attracted more attention thanks to a relatively new hacker tool: media-savvy public relations campaigns.
Both LulzSec and members of Anonymous maintain public Twitter accounts and post press releases announcing data leaks. At one point LulzSec even published a telephone number to take attack requests from the public.
"The new trend of hacks by groups like LulzSec and Anonymous is accentuated because attackers are trying to publicize it more," Wysopal says.
More than a decade ago, hackers such as Kevin Mitnick, Ehud Tenenbaum, and Michael Calce were also bringing down websites and breaking into large networks. What motivated hackers back then, Calce says, was just a general interest in seeing what was possible, and what people could break into. The IRC (Internet Relay Chat) chat rooms saw a lot of online contests where hackers would battle, each trying to kick the other offline with targeted denial of service attacks.
"I'm not worried about LulzSec and Anonymous," Calce says. "The hacks you don't hear about are more dangerous." LulzSec recently made a similar argument when it said that the real threat to online security is the criminals who don't announce their data thefts to the world.
A Hacker Is Still a Hacker
Security experts agree that such more-sinister hacker types still exist, but challenge the notion that groups such as LulzSec and Anonymous are not as menacing. Certainly they have been costly to hacking victims: Sony estimates that the recent string of attacks it parried cost the company $171 million.
In March, unknown hackers stole data from security firm RSA that jeopardized the company's SecurID two-factor authentication product. That theft led to an attack in May against Lockheed Martin, a major U.S. defense contractor. Lockheed Martin said none of its data was compromised as a result of the attack. In an unrelated incident, CitiGroup, the banking giant, fell victim to a hack that exposed more than 200,000 account holders to data theft.
Arguably, these attacks were far more serious than dumping large numbers of gamer IDs and website logins on Pastebin, as LulzSec often did; however, some reports of fraud related to LulzSec's data dumps have cropped up.
But whether hackers are looking for "lulz" or defense secrets, this type of activity will probably continue for the foreseeable future. "LulzSec and Anonymous demonstrate what can be done with a moderate skill level," Wysopal says. "If these guys are doing it you have to figure there are other guys, in other countries doing this stuff just as easily."