About three months ago, following the arrests of five members of an Anonymous spinoff hacker group, an FBI official declared: "We're chopping off the head of LulzSec."
Perhaps they did. But activist hackers, some still claiming the LulzSec name, seem eager to prove that they are no more destructible than the Lernaean Hydra -- the mythical water serpent with many heads, which could grow back two heads if one was cut off.
One report this week said that the group calling itself LulzSec Reborn "posted about 10,000 Twitter usernames and passwords on Pastebin. The leaked Twitter accounts are from people who use TweetGif, a third-party app that lets users share animated GIFs."
This is not the first hack for which the group has claimed responsibility. In late March, only three weeks after the LulzSec arrests, the "Reborn" group broke into the database of the military dating site ESingles, stole passwords, e-mail addresses and other information from nearly 171,000 accounts and also posted them on Pastebin.
CNET's Elinor Mills reports that this is not the only "new" group out there. "Suddenly, there is 'LulzSec Reborn,' 'MalSec,' and 'SpexSec,' fresh names for groups of malicious hackers using old techniques."
Nick Selby, managing director of N4Struct and a Texas police officer who investigates cybercrime, said this should be no surprise. "It's certainly evidence that the threat is highly distributed, and the barrier to entry for those wishing to engage in these kinds of activities is low and plummeting each day," he said.
Chester Wisniewski, a senior security adviser at Sophos, agrees. "As long as there are a lot of assets out there that are reasonably insecure, this will keep happening," he said. "The Occupy movement may no longer be visible, but the 99 percent are still upset. The FBI may give some individuals who are risk-averse pause, but if some people are stopped, there will always be another to step into the role."
Arrested Hacker Flips
The FBI broke the top ranks of LulzSec about nine months after arresting its leader, Hector Xavier Monsegur, 28, who went by the handle "Sabu." The agency reportedly was able to flip Monsegur almost immediately after his arrest on June 7, 2011.
At the time, most security experts agreed that LulzSec had been damaged, but hardly eliminated.
LulzSec (it is not known if it is actually made up of previous LulzSec or "Reborn" members) does admit to some damage. In a video posted June 3 from a previously unknown YouTube account, and which features a scrolling, disappearing script in outer space like the opening of Star Wars, the group wrote: "The oppressive powers behind the Evil empire have used Darth Sabu to seed mistrusting amongst the inhabitants of the planet Anonymous. The Old Order of the Knights of the Lulz, hunted and exterminated by FBI Siths, have gone into the shadows."
But, the video says, "In a secret and distant IRC, some knights are coordinating plans and analyzing TBs of data they have taken from the empire. This new council is carrying on secret missions all around the internet to take control over strategic assets; with this new life in the shadows, a new hope is growing, again, amongst knights."
The video says the group will dump more than three terabytes of data onto the web that it claims it hacked from the U.S. State Department, the FBI, the Defense Intelligence Agency, the Air Force, Syrian government emails, Colombian prisons, millions of unattributed emails, and "even more data, and we'll figure out what's the best use for them."
In an obscenity laced conclusion, it promises, "Message to government agencies: This time you won't see us coming. This time you won't find us. And you won't know we are there. You will just eat (expletive)."
Take Threats Seriously, Experts Warn
Jody Westby, an attorney and CEO of Global Cyber Risk, said that sadly, LulzSec and similar groups have reason to boast. "The bad guys are winning every contest," she said. "Cybercrime has become the perfect crime; the criminals rarely get caught. There is money to be made, egos to be satisfied, and outlaw tendencies to be stoked."
Nick Selby doesn't go quite that far, noting that, "there have been some pretty spectacular and a lot of mundane arrests made, and if you ask certain people, the damage that has been caused to date is more to pride and ego than actual security."
But he said he believes the real damage, and real danger, is from some federal officials who, "continue to pooh-pooh some truly destructive and dangerous activity, claiming that, 'no classified data has been lost,' and other absurd statements that are clearly divorced from reality. These cause a sense of false security, and it is clear that many municipalities are still not taking information security seriously."
Selby agrees with Jody Westby when she contends, "We will not turn the tide on cybercrime until we start focusing on the crime as much as we are focusing on the security of systems."
"We need harmonized cybercrime laws around the world, trained law enforcement, points of contact for all the 253 countries and territories connected to the Internet, and improved laws to facilitate international cooperation and assistance," Selby said.
"We need substantially more prosecutions and investigations of cyber crime on a local, county, state and tribal level," Selby said. "We can't win if we don't fight -- and right now, we're not fighting enough."
Chester Wisniewski agrees with more aggressive law enforcement, but said the downside of that may be that the less skilled hackers will be taken out, leaving the field to those with much greater ability both to hide and to do damage.
"Arrests could scare away the hobbyists but wake up the better ones to better operational security," Wisniewski said. "If you always have your guard up, you can largely hide yourself for a long period."
He said local law enforcement does not have anything close to the resources to deal effectively with the extent of cybercrime. "Even the FBI is very under-resourced."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
This story, "LulzSec Hackers Down but Not Out" was originally published by CSO.