Can LulzSec and Anonymous forge a turning point?
Lysa Myers, director of research, West Coast Labs
For as long as I can remember, there has been talk in the anti-malware industry about what sort of event it will take to get people to take computer security seriously.
There were countless airline events which took place before governments started implementing increasingly restrictive security measures at airports. There were similar incidents before the accident at Chernobyl, but it took that level of disaster before the general populace became fearful of nuclear power.
Neither airplanes nor nuclear power became instantly unsafe. In fact, they're both considered fairly safe compared to other modes of transport or power. But suddenly people became aware of their risks and made changes as a result of the incidents.
Regardless of what you think of the effectiveness of the measures that were taken after the fact, the changes were massive.
Now when it comes to cybersecurity, it will likely take a Chernobyl-like event to get people to take it seriously. But that day could be sooner than we expect, at the rate things have been escalating.
In my last column, I discussed the attack on Sony's PlayStation Network. Since that breach, a new organized hacking group, called LulzSec, joined and left the fray, grabbing daily headlines with their hacking activities.
LulzSec and the more-established Anonymous hacking collective recently announced a joint venture, dubbed "AntiSec," to target high-profile government and banking sites to expose wrongdoing. Given the number of sites which have already been hit, this is likely not an idle threat.
Will an event like this be enough to get people to appreciate that security incidents affect everyone, not just large targets? The campaign reminds me a bit of the "Month of Bugs" campaigns that we saw a few years ago during which researchers spent a dedicated month on publicly releasing security holes in various types of popular software.
“Will an event like this be enough to get people to appreciate that security incidents affect everyone, not just large targets?”
No major software company was immune from this onslaught, and it made for a very busy month for those working in a company that was targeted. And it was busy a whole lot longer than that for those of us working in a security company that reports new vulnerabilities. It was almost as taxing as the virus wars of 2004, when we were having multiple outbreaks of Bagle and Netsky daily.
And yet, these campaigns went almost completely unnoticed by anyone outside the software industry. Five years later, vulnerabilities certainly still exist on a similar scale.
Banks and government sites are already decidedly aware of security issues, but holes still exist. Will hitting these targets cause the ordinary citizen enough inconvenience or fear to change things?
We shall soon see.