The Cruel Tutelage of LulzSec
LulzSec's latest exploit has been to open the phone lines, promoting a "dial-a-hack" number which the public can call to request a company or website that should be targeted. So far, Lulz Security has hacked several high-profile organizations, though its goal seems to be the exposure of weaknesses rather than theft. Are they craven criminals, merry pranksters or grim griefers?
06/15/11 2:21 PM PT
LulzSec, the shadowy group of hackers that has hammered Sony, blown raspberries at the FBI and tweaked the nose of the United States Senate, set up a hotline Tuesday over which people can request hacks.
Response was overwhelming, according to a tweet from the group. It claimed to have 2,500 voice mails and missed another 5,000 calls within hours.
"The Lulz Boat must sail off and organize itself," the Tweet continued. "Hope you enjoyed Titanic Takeover Tuesday!"
That last part of the message referred to the group's attacks on several gaming companies Tuesday.
So, how should we view LulzSec? It doesn't appear to be raiding servers in order to steal credit card numbers and profit by way of massive theft. So are they a bunch of merry pranksters who uncover weaknesses in supposedly secure sites, administering painful lessons so their victims can remedy their security flaws before the real bad guys strike? Or are they people whose actions, which have impacted more than 100 million users of various services, cross the line into harmful criminal enterprise?
LulzSec Hands Out Painful Lessons
LulzSec hit the headlines in May by repeatedly attacking the websites of Sony, then following that up with high-profile attacks on the websites of various other organizations.
Those victims include Bethesda Softworks, the U.S. Senate and the Public Broadcasting Service.
Tweeting about the attack on Bethesda, which bills itself as the third largest personal computer entertainment company in America, LulzSec said it broke into the gaming site "over two months ago" and had data on all of its "Brink" players for weeks.
"Please fix your junk, thanks!" LulzSec's tweet about the Bethesda attack concluded.
Further, the group has posted user data taken from the websites of victims such as Sony and PBS on the Internet, though it did not apparently seek to directly profit from the act.
Does this make LulzSec benign?
Robin Hood Today, Robbin' the Hood Tomorrow?
"Clearly the organization wants publicity," Wasim Ahmad, vice president of data security at Voltage Security, told TechNewsWorld.
"That they're doing this without a profit motive in mind today is interesting, but without a manifesto of their aim, it's difficult to see what the future holds for this kind of invasive approach as a purely educational endeavor," Ahmad added.
In other words, perhaps LulzSec may not be so benign in the future. Who's to say?
"LulzSec's behavior is almost exactly like that of 'griefers,'" Tim Keanini, chief technology officer for nCircle, told TechNewsWorld.
"Griefer" is an online term typically used in multiplayer games to describe players whose sole intention is to harass other players for their own amusement.
"LulzSec has definitely harnessed a lot of talent and focused it on their specific purpose, and the level of visibility their successful exploits is receiving is definitely part of the payoff," Keanini added.
An Underground Pool of Talent?
There have been rumors that the members of LulzSec are long-time underground hackers who may present papers at security conferences and may even work for security companies.
That's a view nCircle's Keanini more or less agrees with.
"Talented hackers at this level are not born overnight, so the people behind LulzSec have to have been around for some time now," Keanini said.
On the other hand, these people "don't have to be the most talented hackers, they just need to be more talented than their victims," Keanini pointed out.
That possibility makes for a very wide potential pool of suspects indeed.
"Every hacker who has executed a SQL injection attack and reaped sensitive data thinks he is technically savvy," Voltage's Ahmad remarked.
"To catch them or any other hacker red-handed, you would need sophisticated monitoring," Ahmad added. "But why bother? Why not make what they're looking for simply go away by encrypting it so that it's useless from a publicity or fraud perspective?"