LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

Summary: We're pawns in this new game of Internet attack one-upmanship. You know it won't end well. But we watch anyway as we realize that our security procedures have been a joke for years.

SHARE:

What happens when the CIA, Senate, various gaming sites, Citibank and a bevy of others are hacked on a regular basis by various groups with one-liners on Twitter and no formal organization? You lose confidence in the Internet and the data passing through it.

My confidence in Internet security---not that there was much in the first place---is looking like a wall made of Swiss cheese. We've known for years that our collective security policies---personal, enterprise, consumer and otherwise---were lax. Nearly every piece of software we use has some vector to exploit. Every site that touches a server is vulnerable. Even those fancy security fobs from RSA can be had. And don't get us started on passwords.

We can write about hacks, patches, vulnerabilities and attacks until our fingers fall off. In the end, we're all pawns as groups like LulzSec bring down sites for giggles. And LulzSec can be quite entertaining. I'd be a liar if I didn't note that the group has made me chuckle a few times. Now we're in this vicious cycle. LulzSec brings down the CIA site and says:

Tango down---cia.gov---for the lulz.

Media attention ensues in bunches. LulzSec rinses your shabby security procedures and repeats. LulzSec even starts a hotline.

It's all good fun. Until it isn't. Simply put, we're pawns in this new game of Internet attack one-upmanship. You know it won't end well. But we watch anyway.

The not-so-amusing thing is that all this attention will lead to more legislative and regulator scrutiny and probably break a few good---yet security clueless---brands. As noted previously, the European Union stepped up its sentences for folks caught attacking critical infrastructure. That's a tough-sounding step that's totally fruitless. How exactly is the EU going to catch these attackers?

LulzSec is a spin-off of Anonymous, which has pulled off more than its share of attacks. Anonymous is a spin off from 4chan users. Good luck tracking those folks down. And you thought China hackers poking around various U.S. sites was worrisome. At least we can find China on a map.

Rest assured, legislators in the U.S. will follow the EU's lead. There will be tougher sentences and Congressional hearings about these attacks. With any luck, the Senate can keep its site running long enough to Webcast the proceedings.

In the end, the only thing that'll fend off attacks is better security---something that hasn't been built into the Internet or anything attached to it. When it comes to security, our infrastructure is the mother of all fixer-uppers. Enterprises are increasingly looking into cyberattack insurance as a defense. That's a nice fallback, but shouldn't the first line of defense revolve around buttoning down the various holes in your Swiss cheese infrastructure?

Related:

Around the network:

 

Topics: Government UK, Browser, Government, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

66 comments
Log in or register to join the discussion
  • I think you're dead wrong on almost all fronts...

    Your view is analogous to blaming a woman for a sexual assault...and is an absurd defeatist view. Our "crappy" security is generally no worse or no better than the rest of the world (probably better), which you fail to mention, but we happen to be a popular target.

    The only thing that will really stop it is taking the fight to them. Vigorous enforcement and prosecution are one thing, but clandestine operations are another. Hold other countries and their ISPs accountable. If necessary, cut the cord.

    Your view basically accept the attacks and places an obscene "security tax" on companies and organizations who happen to be targeted. We're basically allowing those targeting us to impose zero-value-added costs on US businesses that much of the rest of the world does not incur.

    My gut says we're on a fast track to a "parallel internet" - a secure, business-oriented internet with a rigorous process for gaining access and low tolerance for abuse.
    Rick_Bullotta
    • You missed the whole *barn* dude.

      @Rick_Bullotta <br><br>Point 1: Security on the internet is next to impossible because of the complexity of software, hardware, and user interactions.<br><br>Point 2: Even if (and it's an impossible if) secure design was easy (and it's not, it's a devil's brew of interactions which is not well understood), developers are never given the (serious amounts) of time it would take to get it right--nor is security something anyone is willing to pay for--either in money or convenience. Stupid users? Of course--but they also have to be able to *use* the damn thing.<br><br>Point 3: It's been this way for *30 years*. That's a *LOT* of infrastructure to fix...<br><br>Point 4: Anonymity on the internet is a *good thing*, a vital thing, but it has its price. There can't be a parallel internet for business because normal consumers (ie all of them) will refuse to use it.<br><br>Point 5: Legislation is useless to combat this. And it isn't just the US under attack, it's everything, everywhere. Legislation won't work--remember you used to be hung for stealing a loaf of bread. Didn't stop anyone...
      wolf_z
      • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

        @wolf_z If you were hung for stealing a loaf of bread, you'd steal a sack of flour instead. If you're gonna hang, make it worth your while. Likewise, rather than these (or other) hackers merely highlighting issues, they'll be more inclined to use the holes for more nefarious purposes.
        mountjl
      • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

        @wolf_z
        hanged, not hung :-)
        CaptOska
      • Violent agreement on some points...

        @wolf_z actually, i think we violently agree. i agree that it can't easily be fixed (thus my suggestion of the need for a "secure internet"), that legislation doesn't work (thus the need for clandestine ops to fight back). i don't agree that anonymity is a requirement for commerce - in fact, isn't it really the opposite? A uniform digital ID would solve a lotta challenges there. Trying to think of a case for the need for anonymity in commerce b/n the buyer and seller and can't find one. totally agree that anonymity is *essential* on the public internet, though - it's a vital piece of the openness and vitality of the internet, indeed.
        Rick_Bullotta
      • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

        @wolf_z

        Business use of the current internet is where you have the least anonymity because of all the tracking cookies and other "spyware" crap on commercial sites.
        wkulecz
      • Do not confuse the CIA with Sony.

        @wolf_z

        point 6. This is an external network portal, and not the CIA's internal network. Unless the article left something out . . . So basically it is chicken little claiming the sky is falling all over again. Where, *maybe* someone dropped a grain of sand.

        It is not hard to hack a web server at all. It happens all the time, and companies like AOL have had their WHOIS record "hacked" for years. Does that mean they've been penetrated ? No.

        Is it smart to hack a CIA web portal ? Probably not.
        yyrkoon
    • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

      @Rick_Bullotta

      Actually...no it isn't. We live in a world where people still store their passwords in text files on their desktops. Security is a human problem. There is no software patch for human stupidity.
      KojiroTakenashi
      • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

        @KojiroTakenashi
        The recent big security breaches wasn't from users storing their passwords in plain text... The hacked companies stored them in plain text and let someone steal them. Shame on them, too.
        bobatwork
      • Good Points...and what about sentencing?

        @KojiroTakenashi
        We should also include judges in the Circle of Blame. Even including that Dmitriy Guzner's cyber attacks on religious Web site were obvious hate-crimes (which usually augments sentences), Guzner received one in year prison, then two years probation.

        To a 19-year-old hacker with another 60 years of criminal destruction to wreak, that's not punishment. That's bragging rights and high-fives.

        Per news dates, Guzner has been on the street for seven months.
        archetuthus
    • No.

      @Rick_Bullotta Sony's security was absurdly bad.... Seriously a SQL injection vulnerability exposed their whole database to lulzsec. SQL injection is web-programming 101 stuff. There's no excuse for that. You ALWAYS ALWAYS ALWAYS should sanitize user inputs before they go into queries as well as use prepared statements to prevent parameters from being a part of the parsed SQL.
      snoop0x7b
      • True

        @snoop0x7b yep. you can't legislate against stupidity, and bad programmers will always exist.
        Rick_Bullotta
      • Fault shared.

        @Rick_Bullotta So you do acknowledge that Sony has some share of the blame for not having competent supervision and programmers? I'm not saying Sony is entirely at fault, but when it's as easy as taking candy from a baby you've gotta ask why...

        When I review team members' code the top things I look for is how and whether they use prepared statements and whether they sanitize inputs correctly (XSS and datatype for weakly typed languages). It's a part of how our code review process works and it's something everyone should do. I'm of the opinion that if you're a multinational corporation accepting credit cards and asking for people's trust in order to store credit cards there should be some liability for negligence.
        snoop0x7b
    • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

      @Rick_Bullotta <br><br>On your first point, sorry, I don't buy your analogy. Just the analogy.

      Regarding prosecution, there are a lot of individuals in countries that don't have any sense of urgency about prosecuting individuals who are breaking into foreign computers. For example:

      http://www.wired.com/magazine/2011/01/ff_hackerville_romania/

      Keep in mind in the bigger picture, some cases will be state sponsored.
      <br><br>-M
      betelgeuse68
    • you say that as if it's all outsiders running these attacks...

      @Rick_Bullotta
      You seem to act as if most of the attackers are all in other countries. Most of the new hacking groups are not national in affiliation. Anonymous and LulzSec are transnational, for instance. Sony? was not JUST attacked in the US. Heck, it's not even an American company, it's INTERNATIONAL.

      ...this is not like conventional warfare, it's more guerilla warfare. The "enemy" are few, hidden in the crowd, able to hit the guys standing around, in uniform.
      shryko
    • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

      @Rick_Bullotta Your analogy is horrible. Sony was hacked in retaliation, not because it was dressed sexy. Sony, The CIA and Senate were not helpless victims. They all willingly joined the battle. You many not agree with the hackers motives, but in their mind they are combating oppression. I see that you identify yourself with those that have been hacked, so are you the one you want us to feel sorry for? A woman sexually assaulted will get my sympathy, all you get is pity.
      Greenman76
      • Yep.

        @Greenman76 yeah, i agree in retrospect it's a shitty analogy. but the implication that "the targets were asking for it, so it's OK" doesn't make a ton of sense.
        Rick_Bullotta
      • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

        @Rick_Bullotta To you because you don't agree with them. Were they asking for by having poor security? No, they were asking for by taking the offensive against the hackers in the first place. You can only poke a dog with a stick for so long before it bites back.
        Greenman76
    • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

      @Rick_Bullotta

      I for one would welcome a return to the days when you had to "know someone" to get internet access and the threat of being cut off for bad behavior kept it to a minimum.

      Once it opened to anyone with a little money, the current situation always seemed inevitable to me. Actually it took a bit longer than I expected.

      Because of this, I'm a total Luddite when it comes to anything "important" and the internet.
      wkulecz
  • RE: LulzSec, Anonymous and hacktivism: Crappy security has caught up with us

    Next time, they will start frothing a bit less at the mouth because it took more than 2 hours to install and setup a Sun OS system, to do it well.

    Also, these lulz pirates are using DDoS so security is not necessarily at stake nor the denial is easily avoided even with proper setups.

    All this comes down always from the same bullcrap: crime has gone international since the last 40 years, while politicians and similar filth battle hard to keep the world divided, police forces impotent and so on.

    We are working hard in order to keep the world in a sad state. The hackers just use that sad state at their advantage.
    dfumagalli