EH-Net

we have all read the news lately, and we all have heard about Lulzsec and their escapades. We all know the opinion of the media and of the targeted companies. We know the opinion of Lulzsec (4 the lulz :P), but what do you think of this?

i personally as a white-hat i don't agree with their actions (ofcourse), but i see it as a revolution in the security world. Never before has a team of hackers been this open about hacks and clearly they really did think this through.

Whats your opinion???

In their latest "press release" they seem to be expecting to be caught eventually and they really don't care.  I wonder if they can really speak for the whole when they say that?  Hm.

That is a good point about them being open about their hacks, which normal people don't typically hear about.  My guess is in the underground the hacks are just as sensationalized, though I could be wrong.

The culture of Lulzsec saddens me because I feel it is a culture of people who have lots of potential that can't make proper use of it, and they need to express their frustration in a kind of cynical, fatalistic activism.  Maybe I'm old fashioned, but I believe anyone with the kind of dedication, expertise and innovation it takes to do these hacks can really make a good life using their talents legally (and morally for that matter).

While their adventures on the high seas are illegal, I like Patrick Gray's article Why we secretly love LulzSec (http://risky.biz/lulzsec):


They're finally able to open upper management's eyes as to how insecure everything really is.  They're able to do what infosec pro's have been unable to do (not due to lack of ability, but due to management's lack of caring).

It's mixed feelings really.  'Illegal...but thank you!' *shrug*

***Disclaimers about how LulzSec is doing illegal things and they are bad people, etc., etc., etc.***

On one hand I do see it as a revolution. High profile attacks give us (white hat professionals) backing when we make claims that security is not just a cost center but a worthwhile and necessary investment.

On the other hand, average Joe's (including the media and Executives) don't understand these attacks. It's hard to find stories in mainstream outlets that explain the attacks adequately. If there is one thing that scares people, it is the unknown. These attacks take place in a realm that might as well be supernatural as far as an average person is concerned. This type of fear can lead to unnecessary and far reaching efforts to crack down on internet activity. And that is almost as scary as steady string of high-profile attacks.

IMHO of course.  ;)

ladies and gentlemen: we got him...

http://news.sky.com/skynews/Home/UK-News/LulzSec-Hacking-Group-Essex-Teenager-Suspected-Of-Being-Mastermind-Arrested/Article/201106316016027?lpos=UK_News_First_Home_Article_Teaser_Region_0&lid=ARTICLE_16016027_LulzSec_Hacking_Group%3A_Essex_Teenager_Suspected_Of_Being_Mastermind_Arrested (http://news.sky.com/skynews/Home/UK-News/LulzSec-Hacking-Group-Essex-Teenager-Suspected-Of-Being-Mastermind-Arrested/Article/201106316016027?lpos=UK_News_First_Home_Article_Teaser_Region_0&lid=ARTICLE_16016027_LulzSec_Hacking_Group%3A_Essex_Teenager_Suspected_Of_Being_Mastermind_Arrested)

http://content.met.police.uk/News/eCrime-unit-arrest-man/1260269113895/1257246745756 (http://content.met.police.uk/News/eCrime-unit-arrest-man/1260269113895/1257246745756)

Maybe not j0rdy:

Twitter update: LulzSec The Lulz Boat
Seems the glorious leader of LulzSec got arrested, it's all over now... wait... we're all still here! Which poor b*stard did they take down?

Did seem a little too easy or fast.  But they do have every organization chasing them.  We will see I guess, who they really have.

I'm sure they'll be busting folks for a bit, yet.  Even if they get the leader, you KNOW others will chime in, to make it look like nothing happened, or to 'assume' a lead role.  Give the authorities some time.  They're not done busting, yet...

I am glad to see movement against these guys. My only hope is that the authorities can differentiate punishment between leaders and high-school or college kids that think installing LOIC on there personal computers makes them hackers. Should they be punished? Absolutely. Should it ruin the rest of their lives? Absolutely not.

I don't really agree what they have done is right but I also wonder if any of there members read these forums?

For this sticky situation, My possition would have to be as follows. I agree with the release of information they got from their hacks, HOWEVER I think they should have contacted said companies and informed them of the vulnerabilities without taking the information and posting peoples usernames and passwords online for griefing childish people to get their hands on and use however they please. What they are doing is illegal and as such they should be punished for their crimes, that's assuming they can be tracked down and arrested. I also feel that the LOIC that Anon has used so much is not a hacker tool, since from the information i could find on it tells me it's just for disrupting internet connections. Anyways that's my 2 cents.

Hacking is still hacking whatever word you will say it.  Its still not ethical and what they're doing is not that good.  Wish it was true that they're after Lulz for what they did.  Goodluck and keep us posted on their latest escapade. ;)

maybe, maybe not ;):

http://www.thesun.co.uk/sol/homepage/news/3651298/Essex-geek-Ryan-Cleary-is-Sony-hacker.html?OTC-RSS&ATTR=News (http://www.thesun.co.uk/sol/homepage/news/3651298/Essex-geek-Ryan-Cleary-is-Sony-hacker.html?OTC-RSS&ATTR=News)

Lulz is denying that he is the leader. They said the only way he was affiliated with them was that he hosted one of their public/legitimate IRC servers. Who knows what the real story is.

They're way to chatty not to get caught. They'll make a mistake at some point.

Well, I don't fully agree with your statement, above.  In the context of malicious 'hackers / hacking' I'd agree that it's illegal and unethical.  However, the term hacker did NOT originate as an evildoer, nor hacking as an evil practice.  In fact, looking up "hack" on http://dictionary.reference.com (http://dictionary.reference.com), yields the following definition:

Computers . to devise or modify (a computer program), usually skillfully.

That does NOT imply wrongdoing, nor does it imply a lack of ethics.  The original hackers were those who modified even their OWN code, to do things differently, etc.

This goes back to the debate over using the term "ethical hacker" versus "penetration tester"  If used in the correct context, either term is valid, but I tend to prefer to use Penetration Tester, so as to remove doubt.

Edit: But in the context of Lulz, etc, I'd agree... unethical

I am sorry but they are going to far and the people hunting them have more funds backing them they will get caught someday.

I completely agree with you. It even opened the eyes to many security managers.

Yeah but its a really crappy eye opener, I feel bad for them.  Also brings job security to the market though.

https://www.infosecisland.com/blogview/14706-LulzSec-How-Not-to-Run-an-Insurgency.html (https://www.infosecisland.com/blogview/14706-LulzSec-How-Not-to-Run-an-Insurgency.html)

The work of Lulzsec is clearly that of younger people. When there identities are known (and its not a question if, but when) you will see that the IT business is shocked that this can be done by some "kids who live with their parents". in the end they will spend a fortune on fixing everything, and within a few years it will all be outdated again, letting the story start from the beginning.

</doomsday-mind>

hmm, it may have happened sooner then i thought:

http://www.lulzsecurity.com (http://www.lulzsecurity.com)

Hacker on hacker action, interesting. On3iroi setup a wordpress site announcing some operations: https://on3iroi.wordpress.com (https://on3iroi.wordpress.com). He claims to be the one that took their site down.

The site is back up, they have added Arizona Law Enforcement info: http://lulzsecurity.com/releases/chinga_la_migra_1.txt

Amazed at those passwords!

In coordination with international law enforcement agencies, police in the UK have arrested a young male connected to an infamous hacker group. The Wickford male, aged 19 years, was taken from his home to Scotland Yard for supposed computer infractions. Here is the proof: Accused member of hacker group LulzSec arrested in UK (http://www.newsytype.com/7966-lulzsec)

That is the same guy that was arrested a few days ago that LulzSec has denounced all over Twitter as not being an actual member and blaming news media for putting out coverage on false information. Who knows, could be or maybe he isn't.

i always have to *facepalm* when i see another '12345' one...or any other 500 worst passwords password for that matter...

I have not looked at the document but could only imagine, but the problem is that no one is teaching these people what passwords should be.

the point is that you dont have to TEACH users about strong passwords, just enforce it...or if that is not "user friendly", provide guidance in choosing a strong password (like you sometimes see at website, with a colour bar that shows the strength of the password).

These guys are not info sec guys, they are police officers.  They probably don't have local IT guys to tell them what a strong password are or enforce. This sounds funny to us because we know what this is, but they don't.  And to say they don't need to be TAUGHT just forced well buddy thinking like that will never get you any where.  Forcing people to do something without explaining why they should do it is going to get you no where, this is why people don't want info sec because most of info sec guys have the mentality that I know more that you so just do it.  From what I have seen and read people work better if you inform them and then tell them the requirements that need to be met, you will get less resistance this way.  So with this said people need to be taught with security awareness.

You're absolutely right.  But I think you're a bit harsh on the rebuttal, towards j0rDy, El33tsamurai.  I don't think he intended it quite the way you took it.  By enforce it, I'm certain he meant having systems and policies, in place, to not allow 'weak passwords'

That said, this is exactly why both companies and govt agencies, alike, need better security postures, and training, guided by folks who do understand the in's and out's of 'real' security.

you are right hayabusa, thats exactly how i mean it. a security awareness training once a year wont hurt anyone, and by implementing policies and guidelines along with applications that just dont allow weak passwords (when you enter one you will get a message that the password is too weak and you have to choose another one) might be considered annoying, but giving the news items lately it has become mandatory to do so.

if you look at recent developments on password cracking, depending on the cracking and hashing method, an eight character password containing all possible characters takes about a day if you have "just" a high end workstation. after that it becomes significant longer (nine takes about a week and ten takes 20 years or something), so if you want to protect valuable information, i think you know what to do.

I agree with you and sorry did not mean for it to come off so harsh just working with people that don't know this stuff I know how sometimes it can be frustrating for them if its forced on them.  The biggest problem before this happened I would say is companies did not want to give that much money to the info sec department because they thought well who's going to hack us.  Now I think more money will be put towards info sec I hope.

Hey man I am sorry if I came off harsh, also on this note I think security awareness should be going on all the time.  Should have posters made and put up all over the place ie:

http://www.infosecuritylab.com/index.php?page=9 (http://www.infosecuritylab.com/index.php?page=9)

This will make people smile as they walk by and more likely to remember the message.  Have the positions changes once a month so the same people are looking at different posters all the time.  Have a security intranet website or newsletter where the people can go and get updates about info sec.  Give away things like pens, mugs, mouse pads, ect if the budge allows for it to people that are security conscience.  Then have trainings once every 6 months or year, but make it fun so people will want to come not just a power point and lecture.  The more fun you make it the more people will want to do it.

Is it truly the end of Lulzsec???

http://pastebin.com/1znEGmHa (http://pastebin.com/1znEGmHa)

Perhaps it is for the best, statement is made, the whole IT market is on its toes again and we are getting more work then ever...

Looks like they are quitting before they all get caught, wonder if this will help them.  The people looking for them I fell will probably find them with all the sorceress at there disposal.

https://www.infosecisland.com/blogview/14784-Warning-Original-50-Days-of-Lulz-Payload-is-Infected.html (https://www.infosecisland.com/blogview/14784-Warning-Original-50-Days-of-Lulz-Payload-is-Infected.html)

Well, well check this out turns out the RAR file offered as a torrent download turns out to be a backdoor malware!

https://www.infosecisland.com/blogview/14781-Rumors-of-LuzSecs-Demise-are-Greatly-Exaggerated.html (https://www.infosecisland.com/blogview/14781-Rumors-of-LuzSecs-Demise-are-Greatly-Exaggerated.html)

Also on that note.

hmm, i wonder if lulzsec put the RBOT malware there or if the actual system was infected...guess we will never know...

An interesting analysis of the download:

Is LulzSec Final Release really infected with a Trojan? (http://stopmalvertising.com/malware-reports/is-lulzsec-final-release-really-infected-with-a-trojan.html)

Come on man oldest trick in the book.  Trojan horse ring a bell, lol?

A follow-up/supporting article to the previous link I posted:

LulzSec's Parting Trojan Is a False Positive (http://www.pcworld.com/businesscenter/article/231291/lulzsecs_parting_trojan_is_a_false_positive.html)

So, was AT&T using a pirated copy of WinRar? haha

odds are (were actually) they put it in themselves, but if they just copy files from a system, chances are they copy (without knowing about it) an infected file with it...but the pirated WinRar story is great!