A new online organisation naming itself LulzStorm appeared this week, with its first action to upload a torrent containing the personal information of thousands of Italian university students.
Saying that it is neither Anonymous nor LulzSec and does not like some of the actions taken by LulzSecITA, it ‘shares many ideas, we really like their work, but we are not them'.
It said that the action taken was to ‘tell every Italian student how little secure their personal data are'.
“SQL injections everywhere, cleartext passwords. Do you know what does it means? It's not like leaving your house open to everyone, it's more like to hang a sign that says ‘enter here' above the door and if after that people keep saying their server was not compromised denying the evidence, they are only more lulz for us,” it said.
The group tweets at LulzStorm and has attracted over a thousand followers in under two weeks.
However its actions and the wider ‘antisec' movement have not been met with approval from white hats. Rik Ferguson, director of security research at Trend Micro, noted that the move was ‘clearly inspired by LulzSec' but again this impacts the safety and security of thousands of innocent internet users.
He said: “While there may be sympathy in some quarters for attacks on security contractors or government websites in oppressive states, that sympathy rapidly evaporates when the result of publishing stolen material endangers the lives of serving police officers, or when it compromises the privacy and safety of hundreds of thousands of innocent customers of online portals or gaming services.”
Speaking to SC Magazine, Ferguson said: “What the Italian guy did was not justifiable, it is not an excuse and they are hacking under the banner of antisec just because they can. Antisec is supposed to be about action against repressive governments, the FBI, contractors like HBGary and Booz Allen Hamilton, and we see that some might have cause.”
Ferguson, who has previously spoken out against the hiring of black hats by security and intelligence firms, said that the problem is that the majority of people now assembling under the antisec banner are doing this simply because they can and the convenience of having a ‘cause' somehow makes it laudable.
He said: “Some people have ethics and want to demonstrate to a secure company that they are insecure and that is a valid point, but you do not need to put down uncensored data results from the hack. With the Romanian ‘Hackers Blog', they would publish the vulnerability and proof of their actions, but they would censor out identifiable information so they have made their point.
“You do not need to publish personal information to make a point, the point is to make a security company aware of what they are doing online without impacting users.
“It is true that there are far too many poorly secured and configured websites out there. It is also true that the customers of those websites deserve a higher degree of care than they currently receive. It is manifestly not true to say that the interests of those people are best served by pasting their personal data all over the internet.”