A 50 Day Hacking Campaign, for the lulz
For 50 days, between May and June, one group managed to hack into News Corporation, Sony Pictures and the United States Senate and published the passwords and user details to publicly humiliate their lack of security. They also managed to embarrass the CIA by taking their website down. Yes, we are talking about the very one – Lulz Security.
The group came to prominence when they managed to successfully attack Fox.com, changed several LinkedIn profiles and even leaked a database of X Factor contestants with contact information of around 73,000 people. Why? Well, they didn’t like how Fox News called a rapper named Common as “vile” and sparked a controversy because of one misunderstood poem.
Their attacks were either to embarrass or to attack they don’t like politically. The latter was evident in its attack on PBS after it aired a negative documentary on WikiLeaks and supposed leaker Bradley Manning. That documentary was highly criticised by Wikileaks and Bradley Manning supporters as, to quote a commentator, “sensationalistic, biased and shallow”. LulzSec leaked passwords and defaced the website – even writing an article claiming Tupac was alive. They soon also attacked Sony, among the other hackers, and leaked the passwords of Sony Pictures users.
The Alyona Show (RT)/YouTube
But they became a target on the US Government and law enforcement when they started attacking them. They attacked a non-profit organisation linked to the FBI, InfraGuard, and leaked some emails and a user database; before attacking the US Senate and the CIA website in June. While they managed to take data from the US Senate website, including passwords and emails, they were only able to take down the site of the CIA – but still, its a big embarrassment when your security agency can’t defend themselves from a DDoS attack.
While the identity of the group members have been kept secret, law enforcement have arrested several people linked supposedly to LulzSec. The first was on June 21 when a man named Ryan Cleary from Essex in the UK was arrested. LulzSec claims he only hosted one IRC channel, and was not a member. In addition, a man from Shetland, Jake Davis, was arrested on July 27 on the basis that he was member Topiary. There have since been some more arrests in both the US and in the UK with claims they were part of LulzSec. Sabu, however, the reported leader is still out there – posting on Twitter, though attempts by other hackers (mostly pro-US) have tried to reveal his identity, though they are pretty conflicting.
So where is LulzSec now? Well after announcing the end of LulzSec on June 25, they came back for a one-time attack on British newspaper The Sun. It also appears that the members are now part of Anonymous as part of their AntiSec movement.
Security issues also emerged in Australia when customer databases for both Vodafone and Telstra were made available. For Vodafone, it was a massive PR disaster as it was coupled with the poor reception problems in metro cities. The main problem was that each store had a unique login – not each salesperson – and these were passed on to criminals and other people who wanted to look at their spouse, partner or friend’s account. Telstra’s problem was a bit more frightening when a simple Google search showed bundled customers’ information with no protection.
Then came the big story just in the last moments. Stratfor, the private US intelligence think tank known for its secrecy of its clients, had been hacked by someone from Anonymous and they took their client database and published it online. Those to have been revealed include the US Defence Department, Microsoft and Apple. In addition, credit card details of Malcolm Turnbull and billionaire David Smorgon were also published. But how did they get hacked? Well, turns out, they didn’t encrypt the data. Yes. You read that correctly. They did not ENCRYPT their data.
So hopefully, many companies learn from their lessons and maybe try protecting our data.