Tuesday, September 13, 2011

LulzSec and Anonymous

Research LulzSec and Anonymous and post your findings (links) to share here.

Further, tell us what can we learn from these hacker groups?

People like Brian Honan (http://bhconsulting.ie/securitywatch/)
and security curmudgeon (http://attrition.org/security/rebuttal/rebuttal-lulzsec_ups_the_ante.html)
and Sam Bowne (http://www.rferl.org/content/lulzsec_is_utterly_irresponsible_anonymous/24272909.html)
have very different opinions on these groups.

Which do you agree with or do you have a completely different opinion to offer?

10 comments:

  1. Let's try this again...

    In regards to LulzSec, many will say that they are simply trying to expose some of the weaknesses in some websites. In return, the assumption is that corporations will improve its security due to the breach. I find it to be a typical BS defense. In other words, LulzSec says "Hey! you need to improve your security, look what we just did!"
    In my opinion, any group that takes down a CIA site is potentially causing a serious problem that could result to war. Taking down any DoD site constitutes a disaster to could unfold uncontrollably.

    http://en.wikipedia.org/wiki/LulzSec

    Anonymous is another typical hacking group that was involved in Distributed Denial of Service(DDoS) attacks back in 2008. They (Anonymous) see it as a way of protesting, but in reality it is considered a cybercrime. The definition of DDoS states: Attacks against servers can impact operation of the entire Internet. Our Financial, Healthcare, Aviation and Security systems run on the entire Cyber line (aka Internet) and any means of “impacting operation” is illegal.

    http://en.wikipedia.org/wiki/Anonymous_%28group%29

    So the only thing we can learn from these groups is how they managed to infiltrate our systems and what we can do as Security Analysts to prevent such future attacks.

    ReplyDelete
  2. my own opinion fallas between security curmudgeon and Sam Bownells. On one hand, I feel that outsiders exposing some SERIOUS exploits and breaches IS a GOOD thing. I think they are doing a favor IF they did not endanger people in many cases by how they follow up - posting credit info is just being a jerk, but posting DoD PASSWORDS could seriously cause deaths if opportunity handed that liberated information into the hands of those who would rather do some serious HARM.

    I'm reminded of a funny blurb I found in our text book, that warns that as an ethical hacker goes, if you want people to like you, this might be the wrong career choice because people RESENT having weaknesses in their systems exposed. It embarrasses them, and that the better an ethical hacker you are, the more enemies you will have!

    Part of me REALLY enjoys watching big corporations, get taken a peg down and shown up. But I feel that the posting of private information is not only invasive, but incredibly childish and immature. It may be meant as "proof" but they could just as easily simply turn that info right back to the companies themselves, if they were REALLY trying to do good. OR to a different authority. There might be alternate ways to expose them without just dumping a database for the public eye.

    a DDoS can be harmful...but it can also harmless, or even JUST, I think. Can anyone defend to me how much harm was done when Anonymous orchestrated a DDoS attack on Southboro Baptist Church, an organization that causes MUCH emotional harm to the families of dead veterans by protesting them with signs that claim "god hates fags/god bless that this person was killed"?

    https://www.infosecisland.com/blogview/12400-Assault-on-Westboro-Baptist-Church-Website-Continues.html


    or how about the hampering of the egyptian government during the egyptian riots?

    http://dailycaller.com/2011/02/26/who-is-anonymous-a-look-at-the-hacktivists-aiding-revolution-in-the-middle-east/

    ReplyDelete
  3. I'm also on the fence as far as agreeing with any of the viewpoints. Exposing vulnerabilities can be a good thing but needs to be done carefully.

    I was once employed in a small store that ran an open wi-fi network for customers...it used the same router that the registers and server were connected to, and the sensitive systems had no additional protection (the "password" was one of the first things a cracker will try). I stumbled across this when I was logged into the open network on my laptop and found some 'new' network drives with full read/write permissions. I logged what I was able to see (and by association, do), disconnected and notify the owner. Testing confirmed that while nobody could actually get to the register functions, they could alter inventory, purchase orders and customer accounts (add store credit, alter purchase records which could be used to return a stolen item for cash, etc).

    Despite knowing about this for over a year, he never did anything until something actually happened (and then proceeded to yell at me).

    I agree with you about Anonymous taking down Westborough Baptist Church. The "church" itself causes more harm to people than Anon did to it (although there are theories that it was done by WBC themselves; they sue anyone who crosses them in an attempt to gain legitimacy).

    ReplyDelete
  4. My personal opinion on "exposing some SERIOUS exploits and breaches IS a GOOD thing" is not good at all UNLESS they have the proper permission to do so. Technically, in my view it's trespassing without consent. If exposing such breaches reaches out before the corporation is notified, it could be disastrous!

    ReplyDelete
  5. Agreed. But (as proven by the Sony hacks) if the powers that be are notified but choose to do nothing, can the person who notified them be held responsible for whatever happens? If the answer is yes, to what level?

    ReplyDelete
  6. This is basically my personal observations of Anonymous and Lulzsec since it seems the base facts have been covered already

    Anonymous, an anarchic group, uses the face of Guy Fawkes to hide their identities and be a symbol for their group. Guy Fawkes, a man that tried to overthrow a government that gave its people more freedom in order to instill a more authoritarian government, irony sure does strike at the best of times and at the best of places. In short Guy Fawkes was a fighter for Spain and the Catholic Church. His goal in the gunpowder plot was to end the more egalitarian Protestant revolution in England by restoring Catholic domination. Thus, somehow, Guy Fawkes became the near universal symbol for anarchists. Or in other words anonymous, smart anarchic hackers that exude ignorance about their own symbol. But Anonymous does provide some help by being a real threat in the world of computers.

    Lulzsec, these guys earned my respect by attacking 4chan. I really can’t go any further than calling Lulzsec just another enemy at the gate to keeping the guards awake and on their toes.

    ReplyDelete
  7. I'm going to have to agree with Sam Bowne on this one. I don't really give too much credit to Anonymous or LulzSec. I think their behavior is immature, unethical, and in the end, doesn't really make as big an impact on their targets as they like to believe. They both perform these hacks with the idea of fighting a noble fight, giving it to the man, etc, but in the end they're leaking personal information, such as logins, passwords and email addresses, from people who really have nothing to do with the company or the beliefs that Anon/LulzSec oppose. By intentionally leaking this private information, they neglect the amount of damage/harm they are doing to these people, and for that reason I cannot support what they are doing. Despite that, I do think that there is a place in this world for "giving it to the man", etc. WikiLeaks is a good example of this. I think what we can learn from them is that in order to be taken seriously and benefit society, an activist group must take into consideration everybody in the information they release.

    ReplyDelete