At the weekend, LulzSec announced its decision to end its hacking campaign against government, technology and law enforcement organisations after 50 days of action.
So as LulzSec make their ‘lulzaby', I turned to some of the information security industry's key thinkers to ask them what impact they felt LulzSec made in its 50 days of activism and more importantly, what was the impact on the public, business and internet security in general?
David Harley, CEO of Small Blue-Green World, said that while he was not averse to raising consumer awareness to hacking, he did not believe in lavishing too much gratitude on LulzSec.
He said: “An awful lot of the victims of their disclosure attacks were not in a position to benefit from having their awareness raised, since their data was revealed. They may have taught some of the organisations that they targeted a sharp lesson as to the adequacy of their security, but they did so in a way that hurt hundreds of thousands of innocent people.
“I don't think the insight into the inadequacies of common passwording practice justifies the potential harm to people who have as much right not to be phished as the beneficiaries of the British Bone Marrow Registry.
While the group may have been unnerved enough by some of the attention they received to cut their promised calendar year of fun to 50 days, I suspect they'll still be playing the buccaneer in other contexts, maybe a little less boldly. I imagine we'll see some more action from rival groups trying to get some glory of their own, though whether LulzSec have left them enough soft targets to emulate their PR success is another question.”
James Lyne, senior technologist at Sophos, said: “What they were doing was not high end apart from attackers executing a handful of vulnerabilities that we should have dealt with, such as SQL injection and backend flaws. While it is a dilemma as to whether they would have been successful with similar actions, other hacking groups such as Anonymous do still exist.
“They also amassed 300,000 Twitter followers, which is no mean feat, so the real lesson has been learned and this has got people thinking. They have got the press attention and some groups have used technology but the hacking and displaying of stuff is never right, as you are putting people at risk, now from a campaign of awareness to the dark side, there is a line that has been crossed.”
Chris Wysopal, CTO of Veracode, agreed with Lyne that LulzSec has raised more awareness about the risks of personal and corporate computing on the web than anything else has in the last five years. However he claimed that it is an unfortunate state of affairs that people and organisations often do nothing to address their vulnerabilities until exploitation is demonstrated.
He likened the campaign to the vulnerability disclosure campaign of the L0pht and others in the late 90's/early 2000's, to expose software vulnerabilities in Microsoft, Oracle and others, but said that this was only half of the battle, as it took incidents such as Code Red and SQL Slammer to get Microsoft to address its security failings.
He said: “SQL injection is rampant today. We are getting calls daily from businesses that have fallen victim to it and from some proactive businesses that have seen their peers fall victim to it. Unfortunately it is still mostly the former.
“There will definitely be followers to take their place. LulzSec has demonstrated what can be done. Followers may not be as organised, branded and humorous, but the demonstration that pain can be inflicted by activists through the cyber domain means that they have the skills and want to shame and punish and others will do the same.”
Ed Rowley, product manager of M86 Security, said: “For the last 50 days LulzSec have been undertaking tabloid-friendly hacking and publishing stolen data under the auspices of doing the right thing: unfortunately there's nothing really new there at all and like naughty children, at the first sign of an adult or a bigger kid, they run away.
“Once again we have an example of a group of people who are all too happy to promote their rights without understanding their responsibilities and like many rebels of the past, they'll probably soon be moving on to join the corporate world where they'll eventually embrace what they've been seeking to destroy.
“Nevertheless, LulzSec successes have highlighted the risks associated with the internet and the problems of securing data and anything that can help raise awareness in this area is a bonus. Unfortunately for the folk at LulzSec, their actions also help to legitimise both the claims of the IT security industry, as well as governmental desire to establish more control, who's laughing now?"
Gerhard Eschelbeck, CTO at Webroot, claimed that while havoc has been created within companies of all sizes, security awareness has been raised for all of the wrong reasons. “Organisations were pushed into crisis mode and had to make rushed decisions about security programs and architectures.
“My concern is that the pendulum will swing from today's extreme of insufficient security protection, to a new world where everything will become cost prohibitive due to security, and we may be missing the healthy middle ground, whereby security protection is tailored for the respective asset value,” he said.
Overall it seems that the attitude is 'thanks for the effort in raising awareness but we're not happy about the way you went about it' and 'have some thought for the victims'.
The members of LulzSec now face a fork in the road in terms of their future: stay a hacker but work for the greater good, or keep on with the hacktivism and bring companies down.
Andy Kemshall, CTO and co-founder of SecurEnvoy, however praised the actions saying that by exposing the blasé attitudes of government and businesses without any personal financial gain will make a difference in the long term to the security being put in place to protect our own personal data.
He said: “While many are claiming the attack is a bad thing what they're forgetting is, at the end of the day, it comes down to a fundamental failing on the part of the organisation that allows these criminals in. If they didn't leave their networks unlocked, there wouldn't be a problem.
“These techies are up to speed and are useful to the industry. What people choose to ignore is many of today's experts are ex-hackers themselves, so Anonymous and LulzSec are actually tomorrow's authority. They offer fresh ideas and they're exposing new vulnerabilities that the ‘good guys' may not yet have seen or even considered.
“The simple truth is that we're going to need their expertise if we're to defend ourselves against other countries and those malicious hackers who are out for financial gain. Instead of persecuting them, we need to recognise their talent, embrace their expertise and encourage them across from the dark side to turn their expertise into something constructive rather than destructive.”
In the future when you think about hiring a penetration tester or white hat, you never can tell - there just might be a gremlin in your house.