Security professionals should find little comfort in the announcement over the weekend that LulzSec was folding up shop following an unprecedented, two-month-long hacking spree that left a trail of disruption and embarrassment across multiple industries, according to experts.
Following data heists against entities such as PBS, Sony, the Arizona Department of Public Safety and InfraGard of Atlanta, and distributed denial-of-service attacks against government entities such as the U.S. Senate and CIA, the always enigmatic LulzSec decided to call it quits. A news release seemed to imply that the six-person group’s lifespan simply had run its course, but there is no doubt the heat from law enforcement was intensifying.
The much larger, and seemingly more principled, Anonymous group already has vowed to take the lead on the recently announced operation, dubbed Anti-Security, which calls for hackers worldwide to expose sensitive data that reveals wrongdoing within governments and corporations, namely banks.
“We hope, wish, even beg, that the movement manifests itself into a revolution that can continue on without us,” LulzSec wrote on Saturday. “The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention humbling.”
Andrew Herlands, director of security strategy at Application Security, a company that specializes in database protection, said a legacy of LulzSec is that it “drew in a whole bunch of people who probably never considered how easy it is to expose people’s records” and break into corporations. As a result, groups such as LulzSec — which also went by the name The Lulz Boat — will continue.
Noted security researcher Dan Kaminsky said the ease and methodical nature by which today’s attacks are perpetrated is the area that needs addressing.
“LulzSec going away doesn’t make code any better,” he said. “LulzSec going away doesn’t make code any worse.”
“It’s the same stuff over and over again,” he added in an interview Monday with SCMagazineUS.com. “You gain entry generally through a website flaw or occasionally by breaking a client. Then you leverage that entry by using stolen credentials, and then you pull down a bunch of private information. It’s quite mechanical.”
He said zero-day vulnerabilities, such as SQL injection flaws often used by LulzSec to gain a foothold, are “really easy to find.” As a result, there needs to be a fundamental change within the software development chain, specifically the cost of writing secure code and finding vulnerabilities must drastically diminish.
“It remains incredibly expensive to secure systems, and even after you try you probably won’t succeed,” Kaminsky said. “APT (advanced persistent threat) is what we call it when someone does everything security says to do and still gets owned.”
Organizations can’t stop trying, though, Herlands said. He recommended a defense-in-depth approach that includes testing software, implementing firewall rules and securing the database.
And the largest threats don’t come from the groups like LulzSec and Anonymous, he insisted. Organizations’ main concern should come from adversaries who don’t publicly announce their exploits and are instead stealthy in scope and after corporate secrets.
June 27 2011