(2 of 3)
LulzSec and Anonymous have been proving with alarming regularity that the data we've entrusted to corporations and institutions isn't as safe as we'd like. If information privacy wasn't our first concern, it's now in the top slot. Anonymous evolved from the fringy website 4chan, where posters frequently signed in as anonymous, and gained acclaim as the hacking force that attacked MasterCard, Amazon and PayPal for canceling WikiLeaks' accounts after WikiLeaks released a trove of U.S. diplomatic cables. LulzSec is thought to be a splinter group of former Anonymous members.
LulzSec's name is a play on the texting abbreviation LOL, as in laugh out loud, which is what LulzSec has been doing at the networks (it claims to do it "for the lulz") that in its view aren't protecting users. Its members are skillful enough to hack into an FBI affiliate site and, according to LulzSec, leak its user base as well, always with a tweet. When an IT-security firm offered $10,000 to anyone who could hack its website, LulzSec did it and refused the money.
But it seems LulzSec might be shedding its Robin Hood persona in favor of more nefarious activity. Recently it announced via Twitter that it is teaming with Anonymous to steal and share data. In announcing Operation Anti-Security (#AntiSec), LulzSec stated plans "to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments."
In a missive it released after its 1,000th tweet, LulzSec explained a bit of its philosophy: "Yes, yes, there's always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz lizard era, where we do things just because we find it entertaining." In the meantime, counterhackers are vowing to track down LulzSec's membership.
Sony didn't find hacking particularly entertaining when its PlayStation Network was shut down on April 20. For more than a month, Sony had to take the network down, leaving about 100 million players without their fun and no doubt forcing parents to pay more attention to their children, and vice versa, until the company got it going again at the beginning of June at a cost of $173?million. The PlayStation Network had barely returned to action when LulzSec barreled into many of Sony's more than 10,000 websites worldwide. Yet when Sega's site was hacked by an unknown interloper, LulzSec signaled that it would track down the culprit.
LulzSec's beef with Sony indeed, with just about everybody is that the company's Internet security isn't good enough, so it must be named and shamed. Within Sony, the reaction was as much frustration as anger. It was not as if PlayStation owners were launching cruise missiles at endangered animals. The PlayStation Network was a community that willingly shared information; it depended upon a certain level of civil behavior. Nonsense, said LulzSec.
The Black Hats Are Winning
In that same release, LulzSec also warned the public about what it wasn't noticing: the everyday hacking of banks, businesses and individuals, incidents that the IT-security experts concede are growing rapidly. Black-hat hackers are adapting social networks to establish an evil ecosystem while exploiting its vulnerabilities to steal data and money. Their tool kit includes social-engineering techniques that dupe you into coughing up passwords. Their malware is getting better: botnets (networks of infected computers) are growing, as are "man in the middle" schemes that redirect your Web traffic.
It's a new plug-and-play environment as hackers specialize, link with other specialists as needed and offer a variety of goods and services. You don't even have to be a hacker to use some of the available products. There's 24/7 customer support. Malware consortiums like Zeus produce botnets that let you invade and infest computer systems. You can obtain specific parts of botnet code that you can customize for your own use to hack individual bank accounts. Need a "mule" to set up an account to transfer stolen money into? That service can be provided too. "There's a whole supply chain here," says AVG's Smith. "The guys who develop it, update, use it, and people who have to get the money. It's hard to find the guy."