2011-06-27 00:03:05 by chort
For the past 50 days LulzSec has captured the attention of the information security community, the mainstream media, and just about every other kind of media. Has anyone stopped to wonder what it is that causes the LulzSec saga to be so "sticky?"
If you listen to various information security podcasts, follow infosec practitioners on Twitter, or read their blogs you'll probably have heard this phrase a hundred times in the past few weeks: "it's a wake-up call." Is it really? We could have woken-up when Lockheed Martin was hacked, or when RSA was hacked, or when Google was hacked (again), or when various energy companies were (supposedly) hacked, etc. If people haven't woken-up due to what's happened previous to LulzSec, they aren't going to act differently now.
So what do these people actually mean when they say "wake-up call?" In my opinion, it falls into two camps. The first, and I'd argue easiest to identify are the "living vicariously" variety. These are generally folks who now work as penetration testers or exploit researchers. What they are basically saying is "I wish I could get away with that." In fact, Kevin Mitnick had this to say:
PC World applauds @Lulzsec for compromising systems. If I did such antics, I'd be back in solitary confinement!
Which, to me, sounds rather wistful. It seems that he did a mental cost/benefit analysis and decided that the risk of going to jail was larger than the thrill of hacking into systems illegally. Next we have this quote from another pen tester:
Lulzsec is straight killin it lately. Got to give them props for that at least.
I interpret this as something like "I don't necessarily support them, but I admire their audacity and success."
The point of these quotes isn't to disparage the people making them, in fact I think they were much closer to being honest than most other public commenters. Essentially, I believe most people with exploit experience who are calling this a "wake-up call" are just being politically correct. However small the risk of prosecution is, it's just not worth giving up employment or freedom of movement for some thrills.
On the other side of the fence are those who think these attacks prove the need for more corporate spending on security, more laws against specific types of computer activity, and more surveillance powers for law enforcement agencies. They keep beating the emotional drums of FUD to trick people into giving up basic rights as they apply to digital communications and data. As I warned on Twitter, people should be prepared to see various attempts at "Digital Patriot Act" legislation in the coming months. People like the CEO of a small security company that was recently hacked by Anonymous are already making the rounds at conferences advocating just such measures.
Last we come to the members of LulzSec. What's the their motivation, and what's their level of skill? There have been somewhat conflicting and vague claims from the group as to what their aims are. In some cases they attempt to cast themselves as "hacktivists" and claim to be conducting attacks for idealogical reasons. The only consistant claim is "for the lulz," which is certainly the most accurate. From examining reports on their body of "work," and sources such as The A-Team it doesn't look like the skill is particularly high (contrary to what I've heard several "experts" say publicly). I do have my suspicions about the source of the latter "dox" (think rootkits and an obsession with social networking), but it seems fairly accurate. By the most credible accounts, LulzSec used mostly SQL injections, file inclusion, well-known Linux privilege escalations, hash-cracking, and Google fu to facilitate their attacks.
I draw the following conclusions:
a) they are attacking sites purely because they can, for their own entertainment
b) they're largely hitting targets of opportunity and making up justifications after the fact (with the exception of a few really soft targets, like PBS)
c) they don't have an "elite" level of skill, otherwise they'd be plying it (legally or otherwise) to make money which brings up
d) they apparently don't have a lot to live for, otherwise they wouldn't jeopardize their futures so callously.
There has been some head-scratching on various fronts related to that last point. It seems a number of people, in particular @armorguy of the Southern Fried Security Podcast just don't understand what's so fun about breaking into dozens of systems illegally, when there are more constructive things one could do with their time. Did these people never toilet paper a neighbor's tree, or drive around smacking mailboxes with baseball bats, or sneak onto school grounds after dark to play a prank, or launch shaving-cream ballons at plate-glass windows, or spray-paint a water tower, or... well any of the hundreds of other stupid things teenage boys do for fun (lulz)? It's really simple: It's more fun to do something without permission. This is why professional pen testers have been living vicariously through LulzSec. Yeah, breaking into systems within permitted scope, for a paycheck is nice, but it's just not as thrilling as realizing you just got into a mineral company's mainframe through their unsecured modem.
So why is the story so sticky? Because a lot of security folks wish they could be LulzSec, and the rest wish they could catch them.