Awareness Pains: How the LulzSec hacks influence security awareness

Eric Vanderburg

Bob set down the phone with a sigh. After six hours, five phone calls, countless emails, and two meetings, it was time to go home. The exploit of a system he had been assured was safe was now front-page news. LulzSec was taking the credit but his company was taking the blame. Maybe this time we’ll fix something he joked to himself. Bob was made painfully aware of the shortfalls within his company’s security system.

Don’t let this happen to your company. Before this recent string of attacks certain security systems were thought to be safe. However, attacks such as the wikileaks scandal has catapulted hacking to the forefront, and shows that powerful governments are vulnerable to sensitive information being leaked and distributed to the public or used by an attacker. Once again there was little mentioned relating to business in wikileaks or the fallout surrounding. That all changed with the adventures of LulzSec or Lulz Security, and their hack of major corporations. LulzSec if anything raised awareness in the world if internet security. This blog is part of a series on the LulzSec hackings. There will be three follow up articles, in addition to this main entry, outlining LulzSec hacking case studies and corporate response.

The Lulz security group or LulzSec was a deeply popular group responsible for the infiltration of the networks of many major organizations. Not least of which includes the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI), Sony Corporation, AT&T, AOL, among other major multinational corporations. Recently the LulzSec group endeavored on a fifty-day excursion exposing and hacking major companies and organizations.

The group kept tabs of their adventures online, and they gained a tremendous following. They were famous not only in the deep recesses of social media, but they made headline news. At the height of their popularity, however, the company released a memo stating that they hacked their last thus allowing corporations a chance to regroup.

The ultimate irony of the LulzSec situation is the way they were revealed. While there was the traditional law enforcement, there was also another group seeking the disbanding of LulzSec, and that was a rival hacker group called TeaMp0isoN (team poison). Ironic subtleties aside, the fact that LulzSec was partially exposed by another hacking group points to the fact that this problem of hacking is not an isolated event that lived and died with the LulzSec group. Instead, it testifies to a chronic problem that needs to be dealt with swiftly, otherwise, there could be very dangerous consequences to lackadaisical anti-hacker policies.

No one enjoys being hacked, but there is a lesson to be learned in this. The LulzSec group exposed major flaws and inadequate precautions within the databases and servers of major, multinational corporations and organizations. These databases and lists contain the names and records of many important people within the case of the CIA or the FBI, and the personal information of tens of thousands of people within the Playstation Network. The sensitive information acquired from these corporations could be used to leverage the corporation into divulging more secrets or be sold to the highest bidder. In other words the information retrieved by hacking could be used as blackmail. See our blog entry about corporate espionage for more information on the blackmailing of corporations. While the LulzSec group claimed to be doing their hacking for the “lulz,” exposing the information of innocent people can be quite dangerous. Therefore, companies need to reassess their security solutions in order to protect not only themselves, but also their employees.

Not everything the LulzSec group did was harmful or detrimental. Instead, they revealed and raised awareness about large security flaws within these major corporations. Prior to the LulzSec attacks there was an assumption of security in big well-known companies. This assumption was proven false to both the consumer and to these organizations. While, certain attacks that were carried out by the LulzSec group were of little or no consequence, such as the ATM attack on May 15th. All of these attacks exposed a weakness, or worse a lack of knowledge, within security solutions to companies and consumers alike. The post-attack fallout shows that companies are scrambling to address their failures and shortcomings with regards to security.

Hacking on the individual level can cause many headaches and tremendous anxiety for the person who security was compromised. On the corporate level a hacker presents a major problem not just for the corporation itself, but the many individuals it represents. It is a major problem when the security of one of these corporations is damaged, and the problem grows when the security of several such organizations is undermined. Enter the Lulz Security organization. This LulzSec group broke into the systems owned by the CIA, FBI, Sony, Fox, PBS, and a number of other companies. What makes this unique is the publicity that has covered this string of attacks and the single name associated with it. This publicity that covered the attacks also covered the problems that companies had with their security systems. The attacks exposed the back doors and loopholes that companies and security solutions left exposed. However the hacks also left the companies affected and those not affected clambering to fix their oversights. So now a month after the events, has anything changed? Stay tuned for the next three case studies to see what has happened in the time following the event.

For further reading

50 Days of Mayhem: How LulzSec Changed Hacktivism Forever

LulzSec Disbanded ‘Because It Was Classy’

Why hacker group LulzSec went on the attack

Timeline Of LulzSec Hacks

JurInnov, a Cleveland based firm, offers information security consulting services to give you more confidence in your information systems. Contact us today and bring your security to the next level.

Request Info

TCDI | Computer Forensics | Cybersecurity | Litigation Technology