I wouldn't be so sure. They are spread all over the world and have a rather disjoint corporate structure (as previously noted, Sony Pictures is distinct from the Sony running PSN), so while some branches may be quite secure, others are very possibly not. I didn't hear the technical details of the latest Sony exploit, but somehow I doubt they were that impressive.
Given that a lot of their sites have been broken into with relatively unsophisticated means, such as SQL injection, I think that many Sony sites are certainly in the "low-hanging fruit" category.
I'm glad they were doing it for the lulz. Some day someone's going to be doing it, not for the lulz, and the price we'll have to pay for this kind of massive developer/it-sec incompetence will be extremely high. Hopefully this has served as a wake-up call to people who weren't already aware how low the fruit has been hanging.
These guys are like the kids who paint your cat with spray paint. It seems with most groups, and computer criminals doesn't seem to have escaped, they have people who span the range from 'harmless' to 'lethal'. This prank (and it was a prank) was more in the 'harmless' side, Stuxnet was more on the 'lethal' side.
Some people see the end of the internet as we know it in these stories, I see new opportunities to sell locks :-)
You say you are glad they were doing it for fun and wait for someone to do it not for fun? How do you know it's not already been done? A true hacker wouldn't expose their actions and would continue with the exploit.
I think these kids have exposed the true lack of security around the world in general and it has raised some serious attention for other people to take a look at their own defence, which is good in some respects.
What they have also successfully done is lowered peoples trust in massive corporations which in turn is going to hurt the economy globally, which is not good in any respect.
I think they should have hacked it then made the companies aware, not the whole world. It's hard enough getting someone to trust and pay for services from a company when they think they are safe, they really won't when there is no trust there at all.
I have only one thing to say: if companies were taking the necessary steps to protect their customers and treat them as if they actually mattered there wouldn't be any problem.
And I'll remind everybody that we are dealing with SQL injections and plain-text passwords. And it's 2011.
You said, the hackers "lowered people's trust in massive corporations [...] which is not good in any respect."
It seems pretty clear to me that Sony is most decidedly not deserving of consumer's trust - and without these public disclosures, we would have never known that.
Certainly - as I learned in the Gawker security breach - it sucks to have your login details broadcasted to the rest of the internets. But, after a few hours restting passwords across the internet, I was good to go. I expect the affected consumers in this case will have a similar experience.
And, that experience is a far better one than having your data stolen by a more malicious group of hackers, who use it for far more damaging means, without your knowledge.
So, I don't believe that this group of hackers are any kind of heroic. But even if their motivation is suspect, I do believe they're performing a type of public service. Teaching us all that it's the height of ludicrous to hand over your sensitive data to Sony, and expect them to keep it reasonably secure from basic script-kiddie tactics.
No, they might not be deserving of customers trust but that doesn't mean that throwing egg on their face is helping the situation any. If the hackers were doing it for the good of the community then it's counter productive. They should have informed Sony of the issue. They are kids who do not understand what effect the situation has on the economic climate.
Also, defacing the other music sites does nothing more than raise the profile of their hacking "skills".
As I mentioned, yes they are making people aware that there are security issues that companies need to iron out and Sony are having some serious bad media recently but who is this really helping? It's not helping the market and its not helping consumers?
You and I both know that they should not be storing stuff plain text or with some bad security practice and we understand what it takes to make it right but to the common person they are instantly put off all places where they have to put card details. The overall perception of the web is stepping back 15 years in the eyes of the general consumer, soon people will be afraid to put their details anywhere.
I agree completely with what you are saying but that's from my point of view, I'm thinking general consumer confidence.
> No, they might not be deserving of customers trust but that doesn't mean that throwing egg on their face is helping the situation any.
But not throwing egg on their face was helping less. As long as security bugs are mostly invisible they don't get fixed.
> They should have informed Sony of the issue.
If Sony needed to be told to lock their doors it's only because they didn't care. (At least in 2011. It might have been different in 1997...)
> It's not helping the market and its not helping consumers?
In the end, it helps the market and the consumers. If companies get away with broken security that penalizes, by comparison, other companies who spend more to develop a secure product, or who produce a less ambitious product because they know it's all that can be done securely.
Customers win because they get a more realistic view of what they're buying.
> You and I both know that they should not be storing stuff plain text or with some bad security practice and we understand what it takes to make it right but to the common person they are instantly put off all places where they have to put card details. The overall perception of the web is stepping back 15 years in the eyes of the general consumer, soon people will be afraid to put their details anywhere.
As they should be. You can see how well protected everything isn't.
> I agree completely with what you are saying but that's from my point of view, I'm thinking general consumer confidence.
Confidence through ignorance doesn't seem like a gift.
Why are you using the same password across the web in the first place. Worst case at least have a tiered system.
High - These are high security risk, such as email accounts, and anything that can gain access to or control something that relates to it (domain names, server access, stuff like that).
Medium - Passwords that give you access to very specific systems that if someone gained access would ruin your day but won't allow them to do anything really bad (personal home file server, the password to your FTP, web forums where you have a trust based relationship with people)
Low - If it gets hacked, who cares. Won't make a bit of difference (throwaway accounts on forums, news sites, stuff like that).
You're absolutely right, but, like (I suspect) many people, I knew better, but hadn't taken the time to implement unique passwords before the Gawker security breach. It basically forced me to act - and now I'm better for it.
Yep, the dox linked here are pretty old. Topiary, Kayla and a bunch of others listed are members of Anon as well, giving the theory of Lulzsec and Anon being related more credibility.
Not surprising since they are just a bunch of weekend warriors and kids. Any real smooth operator wouldn't be working out of his house, and especially not on a personal browsing machine. From the opposite perspective of that, the government hasn't seen diddly when it comes to digital terrorism. Just wait until the FBI can't track down the culprits from their broadband bill and drive over to their parents house and make the arrest...
I think you need to read up on cyber crime and cyber criminal groups. Your thesis is correct but only accounts for those who are not independent from the internet. A professional attacker wouldn't ever use the machine and network they were accessing the Internet from for anything else other then their attacks. No compromising search terms, emails, chats, page visits, internet billing, etc. I'm talking a machine totally devoid of personal information or anything that could potentially reveal the identity/location/details of the attacker. Now imagine this was scalable and you constantly were changing your point of access and machine. Actual cyber criminals (the ones cleaning out credit card companies, banks, high level blackmail, stolen secrets, etc, the shit you really only ever hear rumors about because it's too dangerous to leave executive circles at companies.) especially in Eastern Europe have access to an almost unlimited supply of cheap machines, false identities, "tunneled" networks and connections inside major established institutions and companies, and strict criminal group rules, make it almost impossible to identify anyone. Don't be naive this shit goes on everyday.
I would imagine the professionals are using other peoples cracked wifi networks, then routing through tor or a similar onion routing system, eventually hitting a VPN endpoint on some anonymous-hosting account in russia, etc etc.
The truly paranoid might like to rent a botnet and build their own tor network on top of it or something like that.
In short: the fundamental nature of TCP/IP is such that if you are sufficiently motivated, and dont mind horrible latency, even the FBI/tptacek cant identify you.
I'm thrilled to report that it isn't my business at all to track down people on the Internet, and so I am not a good standard for what is and isn't feasible vis a vis IP traceability.
We break apps and build products and that is just about it. (We've also never done business, to my knowledge, with the government.)
Not surprised. Hacking Sony is one thing. Hack the FBI and you end up in a dark room somewhere. I almost feel bad for these kids, if they are indeed kids.
This wasn't the FBI, it was some other hacker who was pissed at him. The screenshots [1] show that quite clearly. That guy likely just turned xyz over to the feds after doxing him (and rooting him, and taking over most of his online accounts)
What's really funny is that going after an official FBI site would have gotten less of a backlash from real hackers. Attacking Infragard is like slapping a bunch of hackers (white-hat and black) in the face, so they're going to be a lot more motivated to expose the perpetrators. It's all pretty silly.
Wow, I would def not consider myself a security expert but I seriosly have higher standards than this when it comes to security. Most obvious fails on this dude: 1) Windows, 2) Gmail (if i would be a hacker i would not use this for obvious reasons), 3) specifying any personal credentials in my "hacker" acount, 4) same username (...i would not use same user-id). I mean, c'mon...I had higher expectations on this guys really (considering I'm not into those kind of networks - call be hacker noob). Let's hope the other guys was more paranoid than this.
Btw, what will be the jail-sentence in US for this you think? Let's hope he's a minor - looks like a teenager.
Last I checked they were alive and well. As for them supposedly being Amateurs, no... no they are not. The attacks they are pulling they could get away with if they kept the secret. But something is motivating them.
Seeing as how Anon has moved up to hacktivism against third world dictatorships and other government agencies, I wonder if LulzSec is a splinter group.
Almost: script kiddies using Windows. It helps the script distributors, by making it easier to target the script kiddies with embedded botnet software :)
So they got exposed because they were acting like a bunch of children and taking no precautions?
Man, if people who don't know what they're doing are this successful, imagine what it means about people who are. And how any laws we make about computer security are just security theater.
When you talk about IT security with people with real secrets (governments), they talk about LulzSec-types being the "lowest risk" category of attackers.
The mid-risk category are the real professionals; they leave no trace, you never hear about them, you never know they were on your system, they just take your data and sell it.
The highest-risk category is true information warfare, targeted attacks by other governments and large entities. As the previous replier said, just look at Stuxnet. You don't have to be a government for this to be a real threat. Imagine if Nintendo had compromised Sony's servers, and somehow loaded corrupt firmware onto the Playstation update system...
These threats are real and constant, and anyone with sensitive data needs to be aware of them. Simply firing up iptables and disabling root SSH isn't sufficient - you need to be aware of the intricacies of your system on a day-to-day basis.
To be honest, if your opponent has a couple of million dollars or more to spend on hacking you, and you aren't willing to expend several multiples of that on defence, you should probably give up on the convenience of having your secret data on the internet and just have it encrypted on HDDs surrounded by handpicked armed guards who owe you a blood debt.
Computers and especially networks are just fundamentally insecure for the purposes of high-value information.
This is the same reason why internet voting will never be a good idea.
Electronic and Internet Voting (The Threat of Internet Voting in Public Elections)
It goes into all sorts of electoral fraud, the finer points of designing elections from a hacker perspective, the diebold hacks, and that awful rails app that those students (?) wrote in the hopes of using it in some US local elections a while back.
In brief, that system isn't safe because someone can obtain your reciept and therefore your voting rights from you by coercion/incentives. Votes should never be verifiable, because then they can be bought. Vote reciepts would be pretty valuable...
They are already verifiable. You provide the seller with an absentee ballot, he or she fills it out, and then you exchange the completed ballot for the beer/cash/delicious pie.
True, but a crucial difference is that the cryptvoting allows verification after the fact, while absentee ballots must be verified in the window between the ballots being sent out and polling day.
I know the high risk actors are there, my post was fueled by my continuing fascination of how low the barrier to entry to the low-risk category is, and how high the potential they have is.
That's one thing a lot of non-experts don't appreciate about these sorts of attacks. They are not terribly sophisticated, nor are they terribly malicious. This is why I put so much blame on Sony and Gizmodo, because they're not being attacked by some elite team of super hackers with an elaborate plot to destroy the company. Rather, they're being attacked by bored teens who are using crude techniques that no public facing website should be vulnerable to in 2011 and they are just dumping what data they gain access to on the internet. Compared to the sort of mischief a talented and dedicated hacker could achieve this is nothing.
starts off with <Topiary> telling everyone to get off this network, ED IRC (it could be a server in their own network, but if that were the case their network would already be breached)
<pwnsauce> calls for a new operation (similar to how anon has various operations).
Then <Topiary> admits to hiring a botnet to help them.
<joepie91> chimes in, talking about an irc server exploit is basically killing his computer.
<storm> asks for an exploit, <lol> says he has it, but is scared to get it out and give it to him (meaning that, for all his "security knowledge" he still managed to get viruses on his stuff.
About half an hour later, <Topiary> insults a few people they want to crack, and mentions an apache 0 day exploit. The rest is them asserting their masculinity, and a mention of the gawker root.
oh, and then a message saying one of the guys is in FBI custody, but I assume that's not part of what you wanted translated.
Thanks. This train wreck caught my eye this weekend and I can't, for the life of me, identify with these people. I am ambivalent about lulzsec's actions, but I understand both sides' issues. Not sure what to make of it, and I am trying to ignore it (simply failing).
It looks like they were just connecting to a private IRC server directly from their own machines. It is possible to remain reasonably anonymous online, but only if you take certain precautions.
Manning is a totally different story that doesn't even fall the same branch of law. Plus state security in the US is somewhat touchy I hear. They're kids, they're gonna be all-right.
It appears some of them aren't kids, and from what we have seen computer crime is taken seriously when it is done against the government or popular things (Sarah Palin's email password reset and leak got the guy 1 year).
In some public NATO reports, they said that during the Kosovo thing, NATO hackers took out specific Serbian radar installations to cover for the strike planes. I guess the Serbians didn't get the memo about putting critical infrastructure on a routable network...
There will always be another garishly-named group willing to sql-inject and xss the low-hanging fruit.