1990s hackers ran rampant, breaking into and compromising some of the most
sensitive business and government systems worldwide. Their incredible
success led to major industry adjustments. Corporate and government IT
departments adjusted their policies and cracked down on security. New
security-centered firms were born.
But this year there has been an explosion of high-profile system intrusions the
likes of which have not been seen in a decade. And for all those fancy
protections, one thing is clear -- much of the "security" of modern
systems appears to be an illusion.
And the web has yet again became a digital Wild West -- a place where the lines
between good and evil blur; a place where the strong become the weak, the weak become the strong, and the newly strong victimize the newly weak; and a
place where the line between mercy and destruction rests on the personal
prejudices of bands of digital bandits.
I. 2011: Year of the Hacker
On Monday, LulzSec ("Lulz Security") published a
data dump of a thorough intrusion of the front end of the U.S. Senate's
servers. But this is far from the first significant intrusion this year.
Let's pause to briefly recap a few of the most important hacks:
Jan. 4: Anonymous uses distributed
denial of service (DDoS) attacks to take down Tunisian
Jan. 10: Anonymous hacks Irish
centre-right party Fine Gael, defacing its website and accusing it of
censorship. Over 2,000 party-member accounts are compromised.
Jan. 18: Members of griefer
group Goatse Security are charged by
the U.S. Federal Bureau of
Investigation for their role in exposing
iPad user information.
Jan. 28: British police arrest
five alleged members of Anonymous.
Jan. 28: CNET reports
that Goatse Security's homepage is defaced by an
ex-member. We reveal that this appears to be
a publicity stunt, though for the record a spokesman for the group firmly
Feb. 3: Anonymous members
uses DDoS to take down the websites of the Egyptian government during
the revolution against dictator Hosni Mubarak.
a security contractor is hacked by Anonymous via SQL
injection, social engineering, and other tactics. 68,000
emails are dumped, including ones that implicate that the Bank of America
hired HBGary to try to attack Wikileaks.
Feb. 10: Chinese hackers steal
information from seven oil companies in an operation dubbed
Feb. 10: White paper states
passwords can be exposed via a jailbreak-driven attack.
Feb. 17: China implicated in
on Canadian government servers.
Feb. 24: Ex-soldier
hacktivist "The Jester" (th3j35t3r) takes down hate
websites of the Westboro Baptist extremist Christian cult.
Feb. 27: Anonymous begins attacks on Koch Industries, Inc.,
an American manufacturing conglomerate who spent millions lobbying against
unions and paid massive campaign contributions towards Wisconsin's "union
buster" Governor Scott Walker.
Mar. 1-6: Malware forms a botnet of
260,000 Android phones, Google Inc. (GOOG) offers a tool to remove
the offending rootkit.
Mar. 7: Unknown parties make off
with $1.2M USD Microsoft Corp. (MSFT) via points scam.
Mar. 14: Anonymous releases
grabbed documents indicating that a Bank of America property possibly
committed foreclosure fraud.
Mar. 18: Security firm RSA reports that
its been hacked.
April 2: Anonymous launches
a DDoS attack against Sony Corp. (TYO:6758) in response to litigation
against hardware hacker George "GeoHot" Hotz.
April 4: Epsilon Data Management
LLC is hacked, revealing millions
of users' email and contact information. Affected companies
include US Bank; TiVo, Inc. (TIVO); JPMorgan Chase &
Verizon Communications, Inc. (VZ);
Capital One Financial Corp. (COF);
Marriott International, Inc. (MAR);
the Ritz-Carlton Hotel Company LLC; Citigroup, Inc. (C);
Brookstone, Inc.; McKinsey & Co., Inc.; the Kroger Comp. (KR);
Walgreen Comp. (WAG); India's Jet Airways
Kraft Foods Inc. (KFT); Best
Buy Co., Inc. (BBY); Robert
Half International Inc. (RHI);
and Ameriprise Financial, Inc. (AMP).
PlayStation Network is hacked, 77 million records compromised. Anonymous is later
implicated by Sony in the hack, but most believe that the greater
collective was not involved. Sony Online Entertainment is also breached,
24 million records lost.
April 19: Hacker threatens
to breach U.S. wind facility, showing limited access information.
Attack is later ruled harmless.
April 26: Sony announces that
the PSN was hacked.
May 2: SOE announces that its
customer database was
May 7: Sony sweepstakes site is
hacked via a simple
Google Search, 2,500 records lost.
May 7: FOX's X-Factor
TV show contestant database leaked in SQL injection attack by LulzSec.
May 10: LulzSec leaks FOX's
website admin accounts, employee passwords, and a sales database.
May 15: LulzSec leaks a database of UK ATM information, including who
owns machines, where they're located, etc.
May 17: Android authentication
due to insecure API.
May 20: Sony is found to be hosting a phishing
page on its servers, courtesy of hackers.
May 20: Employees at several
Apple, Inc. (AAPL) Genius Bar locations
report (according to Ars Technica) that 1 in 20 Mac computers
is infected with the MacDefender trojan, Apple orders its
techs to feign ignorance on the topic.
May 21: Unknown parties steal
$1,220 in virtual currency from 128 accounts on a Sony-owned internet services
May 21: Hacker
"k4L0ng666" defaces Sony
Music Indonesia website via SQL injection.
May 22: Hacker
"b4d_vipera" defaces Sony BMG Greece website, takes 8,500
records via SQL injection.
May 23: LulzSec leaks contents of
Sony's Japanese websites (no user records) via an SQL injection
May 24: Sony Canada loses 2,000
some records in an SQL injection attack by Lebanese hacker group Idahc.
May 25: Sony promises affected
year of free identity theft protection.
May 29: PBS is
hacked by LulzSec after the hackers take issue with its
coverage of Wikileaks. Hackers post fake news
stories and deface its page, and wreak havoc on its servers.
May 30: Information from RSA hack
to penetrate Lockheed Martin Corp. (LMT) servers, Chinese
connection is suspected.
June 2: LulzSec uses
SQL injection to scoop a reported 1
million records off a Sony Pictures sweepstakes website. Sony
claims the actual number is only 38,000
June 2: Sony BMG Netherlands and
Belgium have 1 million records exposed via SQL
injection from unknown parties. Records include user names and plaintext
June 2: Gmail accounts are hacked, Chinese
government is fingered, as accounts belonged to Chinese dissidents;
2-3: In a
spat over a particular user LulzSec DDoSs popular
hacker magazine 2600's IRC chat servers and proxy servers.
The dispute is eventually resolved after members and publication admins
have a chat.
June 3: Names, photos, and email
addresses of 120 developers lost in a SQL injection attack on Sony
June 3: FBI affiliate Infragard
by LulzSec, emails and more released.
June 3: LulzSec warns Japanese game maker
Nintendo (TYO:7974) of gaping hole in its online security.
June 5: Anonymous publishes
the names, passwords, and email addresses of several prominent Middle Eastern
June 5: Sony Pictures Russia is
breached via SQL injection, user records from several databases are dumped to
June 6: Sony BMG's internal
network is mapped by LulzSec in
new breach; SCE developer code is also taken.
June 8: SQL injection attack
drops yet more records from Sony Music Portugal, Idahc claims
responsibility.June 8: LulzSec hacks "unhackable" webpage from security firm Black & Berg Cybersecurity Consulting, LLC and refuses cash prize, saying they "did it for the lulz."June 9: Using Low Orbit Ion Cannon (LOIC) DDoS attacks, Anonymous targets Turkey for "censorship".
June 10: LulzSec posts admins
records, accounts of government officials purloined from databases of
June 10: A group calling themselves "Anonymous India" attacks the Indian army website with DDoS attacks.
June 12: LulzSec publishes
a thorough network intrusion of
Bethesda Softworks and ZeniMax Media that includes source code, network
mappings, and more. Group doesn't publish user information because it
says "[W]e actually like this company."
June 12: U.S. Senate servers are hacked by LulzSec,
though classified servers are not penetrated.
June 12: Spanish police arrest
three alleged members of Anonymous. Anonymous responds
with a DDoS takedown of Spanish police websites.June 14: "Titanic Takeover Tuesday" is launched by LulzSec. The group strikes gaming magazine The Escapist, the servers of EVE Online, the site of government contractor software firm Finfisher, servers for Minecraft, and servers for League of Legends, a MMORPG.June 14: Anonymous targets U.S. Federal Reserve Chairman Ben Bernanke, via a post on their ops site. It is unclear whether any attacks materialized.June 14: Turkey arrests 32 alleged members of Anonymous, group vows revenge.June 14: In a Pastebin posting Anonymous condemns the attacks on the Indian government, saying they were perpetrated by an "imposter".
(Thanks to Wikipedia and Attrition.org for listings of and links to
detailed information on some of these hacks.)
Vital Stats on Major Hacks:
Number of Attacks on Sony: 19
Number of Hacks by LulzSec: 18+
Number of Hacks by Idahc: 2+
Number of Hacks by Anonymous: 11+
Number of Hacks suspect to have originated in China: 4+
Number of Hacks on U.S. Gov't or Contractors: 4+
II. Profile: Recent Anonymous Activity
One of the largest and most active hacker collectives is Anonymous.
Known as a group where inexperienced hackers can get their hands dirty,
the collective has a large worldwide presence. Anonymous is loosely affiliated
with the image-board site 4Chan. The group does not have
official leaders -- any member can act as an organizer at any given time,
trying to convinced members to do attacks or "operations" as they typically call them. Most communication among members is accomplished via secured IRC chats.
Very active members sometime serve as "spokespeople" for the group,
to spread information about its activities for those who don't troll IRC
channels daily. Obviously these spokespeople don't speak for all members,
but they offer a decent perspective (typically) on the group's thoughts and
actions. The site AnonNews.org is the group's primary site for press releases. The group also maintains a Twitter account.
In recent weeks Anonymous's attention has been split between the
Middle East and Sony. Though ostensibly Anonymous as a
whole is not attacking Sony any more, some individual members or groups of
members are believed to be.
Three members of the group were arrested
last Friday in Spain because the Spanish government believed they were
key organizers of the group. Anonymous engaged in a war of DDoS attacks
and semantics with the Spanish government. But at the end of the day it's
unclear whether or not the men taken into custody truly organized any attacks
with the group.
Last weekend the International Monetary Fund (IMF) was hacked, just days after Anonymous tweeted
"#OperationGreece: Target: http://www.imf.org" and the IMF issued a
statement that it was prepared
for the attacks. The IMF is a group responsible for global finances.
It appears someone -- perhaps China -- beat Anonymous to the
punch. The IMF says its servers were hacked over the weekend by an
attacker who appeared to be
a sophisticated "nation state" aiming to establish a
"digital insider presence".
The attack showcases a growing issue -- the fact that it's often very unclear
who has attacked a particular entity. This is the case as often the same
entity is the subject of cyber-aggression from multiple parties. Furthermore,
publicized attack plans can be cleverly exploited by those who wish to
obfuscate their presence. In that sense groups like Anonymous may
find themselves increasingly "framed" by true attackers, given their
propensity to sound off online.This was seen yet again in last Friday's attacks on the Indian military and government from a group calling themselves "Anonymous India". The "real" Anonymous condemned these attacks saying it played no part in them. Yet many articles were published that fingered Anonymous itself for the attack. In short it appears Anonymous's name was was (ab)used in a politically motivated attacks.
Anonymous still appears very active, as evidenced by its recent
leak of emails and passwords of officials in Bahrain, Egypt, Jordan, and
The group's membership is believed to be large. Some members are
ostensibly non-hackers, but just enjoy participating in the group's
eye-catching public demonstrations, in which actors don Guy Fawkes masks.
III. Profile: Recent LulzSec Activity
LulzSec exploded onto the scene in May with a series of high-profile
intrusions, most noticeably focused at Sony. The group maintains an
active PR website, a calling board, and an active Twitter presence.
However, it is thought to be a smaller, more elite group than Anonymous.
LulzSec does not bear any official affiliation with Anonymous,
though they share some common enemies. Like Anonymous, LulzSec is
thought to be a group without a leader.
The group appears to be increasingly flaunting its abilities against the U.S.
After targeting an FBI affiliate earlier this month, the group targeted several
government officials in its recent porn database breach. Some of these
entries appear to be joke user names (for example
"firstname.lastname@example.org" with password "karlmarx") from people
who aren't actually in ownership of government emails.
Others -- like U.S. Army soldiers James Ben Hopkins and Aaron C. Sewell and
U.S. Air Force fighter pilot Wade Quigley -- appear like real people. Of
course, someone could have used those emails as a prank against those
In addition to calling out porn users with government emails, LulzSec completed
a major breach of the U.S. Senate's servers this Sunday.
Martina Bradford, the deputy Senate sergeant at arms, said on Monday to Reuters,
"We were responding to their allegations. Basically what we're saying that
the server they got into is for public access and is in the public side.
Although this intrusion is inconvenient, it does not compromise the security of
the Senate's network, its members or staff. Specifically, there is no
individual user account information on the server supporting senate.gov that
could have been compromised."
This makes sense. Despite the U.S. governments lack of savvy in
cybersecurity, it should know enough to air gap public accessible systems from
classified ones. In that regard the LulzSec breach may do
little other than to irritate the government.
States Stewart Baker, a former cyber official at the Department of
Homeland Security and current employee of security contractor Steptoe and
Johnson, "The hackers may have done the equivalent of burglarizing the
Senate and bragging because they managed to steal a bunch of souvenirs from the
LulzSec though, never claimed the hack to be a major one. It said
it was "just for fun". The published documents show mostly
processes running on one of the servers, images hosted on the Senate's various
pages, and code from some of the pages. There's no "smoking
guns" in the archive so to speak.
Ultimately, the hack should serve as an interesting test, though. To date, LulzSec has
disguised their identities, ostensibly using proxies, Tor, and other assets.
But the question remains whether they will be able to remain anonymous if
the FBI, U.S. law enforcement community, and private security contractors bear
down on them.
If the U.S. can't catch LulzSec now, it's unlikely they ever
will.Paying little mind to such matters, LulzSec's "Titanic Takeover Tuesday" proceeded neatly, with the group striking Minecraft, EVE Online, and League of Legends. The DDoS attacks brought down the games' login servers. EVE Online took all their servers, including their website offline as a precaution to protect users, though they said no data was lost. Likewise servers of gaming magazine The Escapist were slammed, making access to the site intermittent on Tuesday.The group's motivation for the attack appears to be to mock online gamers. States the group via Twitter:Now accepting calls from true lulz fans - let's all laugh together at butthurt gamers.The only "serious" attack appears to be attack Finfisher, which LulzSec says it targeted for "because apparently they sell monitoring software to the government or some shit like that."
LulzSec's targets appear to be primarily gaming firms, the government,
media sites, and most of all Sony. Expect more attacks in coming weeks as
the group likely has become emboldened by their successes thus far.
IV. The Road Ahead
Both LulzSec and Anonymous can be construed as principled griefers, in a sense.
If their members like you, they may deliver the news that your network
security is pathetic in a bit more gentle fashion. If you're their enemy,
though, they can be merciless.
It's unclear why 2011 has been such a remarkable year in terms of system
intrusions. Anonymization services like Tor and proxy services have
certainly played a role -- but Tor has been around since 2002. Likewise,
international turmoil in the Middle East and China has stirred the pot, but there
have been plenty of other unrest-filled years over the last decade.
What is clear is that 2011 appears to be the year of the hacker.
As long as some companies:
1. Conduct themselves in a belligerent fashion towards tech-savvy members of
the online community
2. Store passwords in plaintext
3. Fail to protect against SQL injection attacks
4. Keep stale data online
5. Fall victim to obvious social engineering plots
...and as long as some users:
1. Use short passwords
2. Use dictionary word passwords
3. Use the same password for multiple sites
4. Fall victim to phishing
5. Use work emails for site registration
...these kinds of attacks should continue to regularly occur. You see,
the web may be the Wild West -- but the problem is less the outlaws' smarts --
it's their targets lack thereof.
For individuals, remember: if you avoid the above traps, companies may lose
your data, but your overall online presence and identity should be safe.
quote: sooner or later, somebody the size of Sony is going to get royally pissed-off and then the attacks will quietly cease
quote: Like fixing their inadequate protection on their systems.