LulzSec: Not Robin Hood, more like Bonnie and Clyde
This article has been updated from its original form to include LulzSec's announcement that it is disbanding.
The arrest last week in England of alleged LulzSec hacker Ryan Cleary did not immediately slow the organization (or disorganization) that likes to think of itself as some kind of anarchist front. Late on June 23, the group claimed responsibility for breaking into e-mail accounts of the Maricopa County, Ariz., Sheriff’s Office through its public website and stealing data.
But on June 25, the group suddenly announced on its Twitter feed that it is disbanding, the Associated Press reported. Whether this is the last we'll hear from this particular group — LulzSec didn't give a reason, but the attention it's getting from the FBI, other law enforcement agencies and other hackers just might have something to do with it — its ability to embarrass government and corporate organizations should serve as a warning.
Like the others before it, the Arizona incident says more about the victim than it does the perpetrators. LulzSec has claimed credit for a long list of smash-and-grab break-ins in its brief crime spree, and the hacks have mostly been commonly available, brute-force efforts that the victims should have been able to protect themselves against.
Shame on them for allowing themselves to become victims and for giving LulzSec anything to crow about.
Group claims hack of LulzSec, as suspected member is formally charged
Risk management: The answer to security, or the problem?
We’re not talking about master criminals or good guys here. This isn’t Robin Hood. These guys are the cyber equivalent of Bonnie and Clyde, a pair of social misfits who received a lot of attention through their indiscriminate violence and who in reality were pretty inept as bank robbers and never gained the respect even of their outlaw contemporaries. It made for a good movie, but they were nothing to emulate.
Like those Southwestern bandits, LulzSec has thrived on publicity but accomplished little.
“Their Achilles heel is they want attention,” said Rob Rachwald, director of security strategy for the security firm Imperva. “I’m not sure they are intentionally self-destructive, but they are very pompous and cavalier.”
They are invincible — as long as nothing happens to them. “You don’t feel the heat until you get arrested,” Rachwald said.
That process has begun — and might not end just because LulzSec announced its dissolution. Not only are the police after them, but other hackers have turned on them as well, because their high-profile, smart-aleck attitude and penchant for theft is giving hacktivism a bad name.
But the attention LulzSec has generated is not all bad. “The positive part of it this is that it is forcing people to think really hard about their security posture,” Rachwald said. “It’s putting a focus on security.”
What LulzSec has been doing is not terribly sophisticated. As is so often the case, organizations are being breached and embarrassed because of inadequate security rather than because of the skill of the attackers.
There are sophisticated attackers out there, using sophisticated tools and exploits taking advantage of zero-day vulnerabilities to get through elaborate security. These are serious and deserve attention. But most of the breaches we see, including those from LulzSec, are the result of not having adequate defenses in place to protect against known threats.
Like the bad guys who don’t feel the heat until the police close in, systems administrators often don’t pay attention to a threat until they are attacked. The fact is, no one is immune from attack. If you already are high-profile, like the Senate or the CIA, that makes you an attractive target. If you do not already have a high profile, a successful attack will give you one.
In the end, security is about risk management. You cannot make yourself perfectly secure, but you should be able to achieve a level of security commensurate with the resources you are protecting. This would protect you against the efforts of egotistical wannabees such as LulzSec and deny them the attention they are seeking.