The legacy of LulzSec
As if 2011 hasn't been interesting enough, given the sheer number of data breaches (CNET has posted a nifty chart), the next several days promise to yield even more stolen records, at least according to the latest dispatch from the hacker group LulzSec.
The collective, which has been all the talk of the security industry over the past several weeks since it launched its attack on PBS, announced later Sunday that it is hooking up with the Anonymous group, best known for its attacks on HBGary Federal, to launch "Operation Anti-Security."
The mission is to expose government and corporate corruption by way of stealing and leaking classified data.
"Together, we can defend ourselves so that our privacy is not overrun by profiteering gluttons," Lulz Security wrote. "Your hat can be white, gray or black. Your skin or race are not important. If you're aware of the corruption, expose it now, in the name of Anti-Security."
The call to arms is a testament to how unpredictable LulzSec has been. Just a few days ago, it was leaking the usernames and passwords of pornographic subscribers, was asking its followers on Twitter to call a phone number to suggest a candidate to DDoS, and was using its call center to flood the World of Warcraft support line. All for, as the group said, the lulz.
The fact that LulzSec is allying with the more established Anonymous gang, and asking for any outsiders to join in for a more principled cause, could be an indication that the group is losing some steam – especially in light of a series of alleged outings last week and over the weekend.
No matter their identities, and even if the LulzSec group was all apprehended by authorities tomorrow, one can't deny that they have changed the landscape. Members have infiltrated a number of high-profile websites, including those of Sony, the CIA and the U.S. Senate, with apparent stunning ease.
The question on some people's minds is: What impact do these "hacktivist" groups have on infosec as a whole?
There are two scenarios that may play out, as I see it.
1). Anonymous, LulzSec and whichever groups follow -- and we know there will be others -- significantly help to secure cyberspace, by catapulting data breaches into the mainstream and forcing all organizations to assess their security stance.
Tales of LulzSec conquests have escaped the traditional trade press ceiling and have found their way into the mainstream media with regularity. Surely, the budget decision-makers at various firms have seen the headlines and are well aware that they could be next.
Of course, containing these hackers is not easy. While the infiltrators, for the most part, appear to be using relatively simple means of gaining access (i.e., no customized malware), organizations are struggling to respond.
Ideally, what would result is a new way of thinking about cyber defense.
Jeffrey Carr, founder and CEO of Taia Capital, which specializes in cybersecurity countermeasures for corporate executives and government officials, wrote an interesting blog post Sunday where he challenged organizations to think like an attacker. Among his suggestions:
- Uncertainty and randomness favor the adversary, therefore defenders must implement components of randomness and uncertainty as part of a network defense strategy.
- Since it isn't possible to anticipate every type of attack, the defender must become a competitor to the adversary and continually attack his own system "in the hopes of finding heretofore undiscovered attacks" before the adversary does.
2). The second scenario that might play out is the government overreacting to the actions of LulzSec and, as a result, lawmakers enact stiff legislation that considerably limits the openness and freedom of the internet. Such a prospect was warned about in a paper written earlier this year by researchers at George Mason University.
Two other academics, Ronald Deibert and Rafal Rohozinski of the Munk School of Global Affairs at the University of Toronto, also addressed this possibility during a video I shot with them last week at SC Congress Canada. (We start talking about it at approximately the 3:45 mark).
LulzSec is certainly baiting the government to go this route, with its CIA and Senate infiltrations, and the latest rallying cry. And we might already be seeing the first signs of this overreaction already appearing.
I should also mention that the possibility exists that LulzSec is not who we think they are, but are instead, say, a government-hired band of digital assassins. Hey, the conspiracy theories are out there. And at the rate this year is going, nothing would surprise me.
In a perfect world, the legacy of 2011 and LulzSec will be that the web remained open and free, governments and corporations were held accountable when they did wrong, all organizations recognized that resilient security (and proper responses in light of a breach) are merely table stakes for doing business, and hackers who victimized the innocent were brought to justice.A guy can dream, right?