Can Lulz Be Lassoed?
Jun 22, 2011 11:02 AM PT
A hacker believed to be involved in high-profile cyberattacks on major websites including those of the CIA, the U.S. Senate, PBS, the UK's Serious Organized Crime Agency and Sony was arrested outside London Tuesday.
After the arrest, 19-year-old Ryan Cleary was identified by authorities as a major player in the attacks, acting as a top-level member of the hacking organization LulzSec, the group believed to be behind these and other major online security breaches.
Tweets from LulzSec, however, assert that's hardly the case. Cleary's status, they say, was exaggerated. Light-hearted tweets from the LulzSec's Twitter account indicate the group wasn't too concerned about his arrest.
"Seems the glorious leader of LulzSec got arrested, it's all over now...wait...we're all still here! Which poor bastard did they take down?" read a tweet from Tuesday.
Snitches Hit Glitches
The organization further mocked the law enforcement that claimed they'd infiltrated the group.
"Clearly the UK police are so desperate to catch us that they've gone and arrested someone who is, at best, mildly associated with us. Lame," read another Tweeted response.
Later, the group claimed that two men loosely affiliated with LulzSec tried to inform police about them by leaking affiliates' log information.
Snitching doesn't sit well with the hackers -- as retaliation they published the names and addresses of the supposed tattlers, a serious consequence for people possibly involved with cyberattacks.
In the release, which was addressed to "FBI & other law enforcement clowns," the organization included some reasoning behind its motive -- really, they were just having fun.
"Yes, yes, there's always the argument that releasing everything in full is just evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz era, where we do things just because we find it entertaining," read the post.
Can They Hide Forever?
The true top-level hackers of LulzSec may have evaded law enforcement this time, but officials at enforcement organizations are still on the hunt. The question remains whether the resources, technology and pure manpower of agencies such as the FBI can keep up with a small, tight-knit group of hackers whose skills have apparently already allowed them to pull off many high-level attacks.
The evasive energy of a group like that can be perplexing to traditional policing agencies.
"If they were stealing or doing a more traditional type of crime, law enforcement would have all the mechanisms for that. But they're dealing with a threat that is purely informational, one that is crusading to change public opinion, and that's hard to catch. It's very difficult to apply laws to ideas," Tim Keanini, chief technology officer at nCircle, told TechNewsWorld.
Keanini said the worst case scenario for law enforcement would be if the group quit being so vocal about their activities and went underground for a period of time.
While hacking into the public-facing CIA website is certainly a dangerous breach, the group hasn't been able to pound past certain levels of additional security that could do major damage or jeopardize a nation. So law enforcement might set this at a slightly lower priority, which could help LulzSec evade capture longer.
"In general top law enforcement agencies get a lot more cases brought to their attention than they have time to chase. In a way these guys were easy prey, and they're more troublemakers than they are foreign spies, so they have a very low probability of getting caught," Avivah Litan, security analyst at Gartner, told TechNewsWorld.
Online Security Top Future Priority
Currently, groups like LulzSec and other "hacktivists" target mainly public-facing governmental sites and are after information rather than the pursuit of fraud. However, as the online world grows and hacker competence increases, so do security concerns.
"Everybody is going to be a victim. We've crossed the threshold. We live in an information age," said Keanini.
In fact, attacks like these could serve as a wake-up call to the industry.
"The attacks have succeeded not because they exploited zero-day vulnerabilities, but because competent and determined individuals scoured chosen networks looking for a weak link in the security chain. Time and time again, they found it. We clearly have a long way to go as an industry before we have set the bar high enough to deter such an adversary," Michael Sutton, vice president of security research at Zscaler Labs, told TechNewsWorld.
Even if a person is inactive online, his or her information can still be out there Keanini pointed out. The business of online security, including cyberattack prevention as well as recovery, will be a thriving business.
"The question now is how quickly you know your information has been stolen, and what's the cost of rebuilding. I think it's going to be natural to just press that reset button, and we're on our way," Keanini said.