For 50 fun and exciting (and, depending on which side of the fence you’re on, terrifying) days, a new group of haphazard hackers known as LulzSec have been terrorizing the Internet.
Reportedly, the six members of LulzSec were originally members of Anonymous (another well-known group of hackers). Either that, or they weren’t. Let’s face it — most of what is known about the group has (at best) been assumed or cobbled together. Several official statements have been released by the group itself; whether all, some, or none of the facts contained within those releases should be believed is still open for debate.
What is not up for debate is the group’s track record. In fifty days, the merry band of bandits have infiltrated multiple servers and websites and publicly distributed their findings across the Internet. Early on, the group hacked and released information from Fox, PBS, and Sony — all in the same week. Once they had the world’s attention, LulzSec turned up the heat by attacking more high profile targets. They pilfered user data out of FBI Infraguard sites not once, but twice (Atlanta and Connecticut). They released the user database of a porn website, further embarrassing the US Government by highlighting the .mil and .gov e-mail addresses within. A day or two later, LulzSec released a list of users and files stored on senate.gov. In the midst of all these attacks, they also performed DDoS (Distributed Denial of Service) attacks against the CIA and the Serious Organized Crime Agency (Britain’s FBI).
It all sounds a bit Robin Hood-esque until you release that with all of their database leaks, millions of innocent Internet users (folks just like you and me) had their e-mail addresses and passwords publicly exposed and distributed. Anyone using the same password for multiple websites found out the hard way why that’s a real bad idea; with each database released, bottom feeders quickly scoured the Internet looking for places to try them. LulzSec’s Twitter feed was flooded with stories from people successfully “hacking” other people’s Facebook, PayPal and eBay accounts. At least Robin Hood stole from the rich to feed the poor; LulzSec was essentially stealing blank checks from people’s banks, throwing them up into the air and saying, “Have fun!”
In perhaps one of their most brazen moves, LulzSec released a large torrent of data belonging to Arizona Law Enforcement. According to the group’s press release (yes, LulzSec had press releases): “We are releasing hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement. We are targeting AZDPS specifically because we are against SB1070 and the racial profiling anti-immigrant police state that is Arizona.” This was the first release that felt politically motivated instead of simply “for the lulz”.
On Day #50 of their “hacking spree,” LulzSec announced that they were closing up shop while simultaneously releasing internal data from AOL, AT&T, and user dumps from several different websites. I’ve checked out most of LulzSec’s releases, but haven’t been able to look through this one yet as ThePirateBay has removed it. This is akin to the Legion of Doom kicking out Lex Luthor for being too evil. (EDIT: I checked it out; it contains what it advertises to.)
LulzSec claims to be retiring “because they’re bored,” which almost no one believes. The prevailing theory is that either authorities (semi-likely) or rival hackers (very likely) are zeroing in on the group’s members and real world identities. A couple of days ago, a group known as “The A-Team” released (according to them) the names, addresses, and a lot of other information belonging to the members of LulzSec. The members of LulzSec deny the info is valid … which is what I would do, too.
Unless these guys have gone to great lengths to hide their identities, especially from one another, I predict LulzSec will implode from within. Anyone who watches cop shows knows that the first guy to squeal gets the lightest sentence, despite any pre-arranged “pinky swears” within the trusted circle. As I wrote in the documentation that I included with eCoder Ring, “this encryption tool will stand up to just about everything … except water boarding.” From a technological standpoint, I believe encrypted codes generated by eCoder Ring are technologically unable to be brute forced; however, pull one of my kids into the room and start punching them in the face, and you could get the keys from me very quickly. I believe the members of LulzSec to be proficient coders, well versed in networking and security exploits; I also suspect that a week or so of bread and water, combined with the removal of a toenail or two, would probably get you explicit details as to the inner workings of the group. No matter how well you are able to electronically hide your trail … toenails, ouch.
Recently LulzSec began referring to the “AntiSec” movement, encouraging all hackers to do their own hacking in the name of AntiSec. “We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us,” LulzSec said in their final release. Sounds a lot like the end of Fight Club to me, but eh. With the dissolution of LulzSec and a public plea for people to join the AntiSec movement, it seems as though the members of LulzSec hope to slip away unnoticed into the night. Good luck. I suspect most hackers eager to join this movement are waiting to see if the members of LulzSec get a slap on the wrist (I can’t imagine) or end up in, as Office Space so eloquently put it, “Federal pound-me-in-the-ass prison.”
For all parties involved, there have been lessons to be learned. For everyone doing business online today, a push must be made toward web security. Customer data (at a minimum) must be encrypted. Companies must audit their web security. As consumers, we must use different passwords for every site, we must use secure passwords, and we must use secure answers to password recovery questions.
As the Lulz Boat sails off into the sunset, we are only beginning to experience their wake.
I figure any of these canaries who actually sing will wind up next door to Bradley Manning.
I hadn’t heard about the porn site hack and the .gov revelations within – that’s kind of amusing (and, as a taxpayer, it must be said: annoying).
I found the release of the police officers home addresses, phone numbers, wife’s phone numbers to be immensely upsetting. The officers put their lives at risk every day for their _job_. The every day police officers did not write the controversial law. Why put their families lives at risk? I just don’t understand it.