Activism and ‘Lulz’ Motivate Latest Rash of Hacks
A Warped Silver Lining
The only silver lining, experts say, is that hackers are drawing attention to security vulnerabilities and not exploiting them silently.
LulzSec claimed its scourge of hacks was meant to draw attention to vulnerable computers, while the new AntiSec movement hopes to expose corruption. Craving that type of visibility contrasts with other hackers who pride themselves on stealth intrusions and perpetrate corporate espionage, maintain ransom-ware schemes, and steal credit card data.
(See PCWorld's 2005 series Web of Crime.)
"Before, there was more of a criminal element involved so it wasn't publicized as much. It wasn't as if all of a sudden websites became vulnerable," says Chris Wysopal, cofounder and CTO of applications security firm Veracode.
Hackers Work the Media
Things have changed. Wysopal says recent data heists have attracted more attention thanks to a relatively new hacker tool: media-savvy public relations campaigns.
Both LulzSec and members of Anonymous maintain public Twitter accounts and post press releases announcing data leaks. At one point LulzSec even published a telephone number to take attack requests from the public.
"The new trend of hacks by groups like LulzSec and Anonymous is accentuated because attackers are trying to publicize it more," Wysopal says.
More than a decade ago, hackers such as Kevin Mitnick, Ehud Tenenbaum, and Michael Calce were also bringing down websites and breaking into large networks. What motivated hackers back then, Calce says, was just a general interest in seeing what was possible, and what people could break into. The IRC (Internet Relay Chat) chat rooms saw a lot of online contests where hackers would battle, each trying to kick the other offline with targeted denial of service attacks.
"I'm not worried about LulzSec and Anonymous," Calce says. "The hacks you don't hear about are more dangerous." LulzSec recently made a similar argument when it said that the real threat to online security is the criminals who don't announce their data thefts to the world.
A Hacker Is Still a Hacker
Security experts agree that such more-sinister hacker types still exist, but challenge the notion that groups such as LulzSec and Anonymous are not as menacing. Certainly they have been costly to hacking victims: Sony estimates that the recent string of attacks it parried cost the company $171 million.
In March, unknown hackers stole data from security firm RSA that jeopardized the company's SecurID two-factor authentication product. That theft led to an attack in May against Lockheed Martin, a major U.S. defense contractor. Lockheed Martin said none of its data was compromised as a result of the attack. In an unrelated incident, CitiGroup, the banking giant, fell victim to a hack that exposed more than 200,000 account holders to data theft.
Arguably, these attacks were far more serious than dumping large numbers of gamer IDs and website logins on Pastebin, as LulzSec often did; however, some reports of fraud related to LulzSec's data dumps have cropped up.
But whether hackers are looking for "lulz" or defense secrets, this type of activity will probably continue for the foreseeable future. "LulzSec and Anonymous demonstrate what can be done with a moderate skill level," Wysopal says. "If these guys are doing it you have to figure there are other guys, in other countries doing this stuff just as easily."