Hackers: Not just pale geeks anymore | Attacks turn online security upside down

Sony. PBS. Arizona law enforcement officials. These are just a few of the organizations that have recently been targeted by hacker group Anonymous and its splinter group, LulzSecurity (LulzSec).

By Greg Allmain • June 28, 2011 1:10 pm
The logos for Anonymous
The logos for Anonymous

Sony. PBS. Arizona law enforcement officials. These are just a few of the organizations that have recently been targeted by hacker group Anonymous and its splinter group, LulzSecurity (LulzSec).

In each case, sensitive information was put in the public domain for anyone paying attention.

The hackers disabled Sony’s PlayStation 3 gaming network, keeping video gamers from playing online for the better part of a month between May and June. The groups then followed that attack with a hack of Sony Pictures, releasing user information and other data.

At PBS, the “technomancers” of LulzSec and Anonymous were able to break into the public television website and post a story that slain rapper Tupac Shakur was alive and well and living in a foreign country.

And finally, last week the two groups claimed the attack that released personal information of Arizona law enforcement officials, many of whom are responsible for policing that state’s troubled borders. After the data leak, almost every person listed was inundated with emails and phone calls, leading one person to take an entire family into hiding.

Black hat, white hat

With their attacks ranging from humorous to malicious, one of the biggest motivations for these “black hat” hackers is to point out the security flaws of companies and entities that people entrust with their most sensitive information in the digital world.

“With these organizations, these groups are trying to say (to the companies), ‘Hey, you need to beef up your security’,” said IT expert Chris Stevenson, co-owner of Geeks@Site in Federal Way. “Secure your stuff, slick, is basically what they’re saying.”

In the world of hacking, hackers delineate themselves as “black hat” or “white hat.” Black hat hackers like LulzSec and Anonymous perform illegal hacks of companies and organizations. White hat hackers are computer experts who are paid to probe a company’s network to expose flaws.

The work of white hat hackers, said Stevenson, is another motivating factor for the black hats and their attacks.

“Companies will hire these white hat hackers to go in and probe a network,” he said. “And most of the time, the companies who hire them will go, ‘Yeah, thanks,’ hoping on the chance a malicious attack won’t happen to them.”

Stevenson said large companies face a double-edged sword when it comes to information security. On the one hand, they have the duty to defend their consumers’ information with as much security as possible. On the other hand, the companies must weigh factors such as convenience and ease of use for consumers, he said.

Another factor in the world of information security that is exploited by hackers is the proliferation of smartphones, PDAs, tablets and laptop computers, Stevenson said. As more people carry devices containing their sensitive information, the chances of those devices being stolen and exploited increase dramatically, he said.

How hackers do it

The most common tactic of Anonymous and LulzSec is called a Low Orbit Ion Cannon (LoIC). This is a computer operating script that Anonymous hackers use to get their followers to kill a website’s bandwidth. A large number of users come to the site running these scripts, which overloads the site’s physical servers. Once the website is crashed, the truly skilled hackers come in and weave their way through the now compromised systems to find the sensitive information.

Another important part in the “how” of hacking groups is that they typically attack relatively unsecured company mail web servers. On top of that, social engineering is used by the groups, such as “phishing” and other related scams.

Spend any time in any of the Internet Relay Chat (IRC) channels dedicated to these groups, and you’ll find users constantly logging in and asking for people to try and crash a specific website. Last Friday, during an approximate time of 45 minutes in the room #AntiSec, there was a push to crash Brazilian website Globo.com. Globo.com is the Brazilian equivalent of the Fox News Channel in America. Users were still able to view the site as of Monday, June 27.

Protect yourself

Hackers are now an active and dangerous subculture in today’s world. Stevenson said there are a few different things people can do to secure their information as much as possible.

“Security is also up to the end user,” he said. “Make sure you have a secure password, 12 to 15 characters long, that uses upper and lower case letters and special characters.”

Special characters include punctuation marks such as an exclamation point or ampersand. Along with more complex passwords, Stevenson suggests people change their passwords on a regular basis.

Another easy way to keep information secure is to avoid the temptation of convenience, Stevenson said.

“When you’re doing online purchasing and you’re given the option to save your payment information, don’t,” he said.

Outside of those protections, Stevenson suggests that anyone who operates a home wireless network to secure that network with a password.

“A lot of people, they plug in their home wi-fi router, but they don’t bolt it down,” he said. “There are people called ‘wardrivers’ who drive around neighborhoods sniffing for networks.”

Stevenson cited one example of the damage a wardriver can do. On the East Coast, a man was at home in bed, he said, when he woke up to the sound of federal agents breaking down his door. The agents were there because the man was believed to have been trafficking child porn over the Internet. However, the real perpetrator was someone who had hijacked the man’s wireless signal, Stevenson said.

Recent developments

Over the weekend, LulzSec issued a “press release” in which it announced retirement, at least under the guise of LulzSec. Between the two groups, LulzSec had taken on the persona of the “merry prankster” hackers, while Anonymous characterized itself with harsher, more war-like words and actions.

With LulzSec’s “retirement,” the group shared thoughts on what its hacks have meant, and what’s in store for the future.

“For the past 50 days, we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could,” LulzSec wrote. “All to selflessly entertain others — vanity, fame, recognition, all of these things are shadowed by our desire for that which we all love. The raw, uninterrupted, chaotic thrill of entertainment and anarchy.”

LulzSec continued:

“We truly believe in the AntiSec(urity) movement. We believe in it so strongly that we brought it back, much to the dismay of those looking for anarchic lulz. We hope, wish, even beg that the movement manifests itself into a revolution that can continue on without us. The support we’ve gathered for it in such a short space of time is truly overwhelming, and not to mention, humbling. Please don’t stop. Together, united, we can stomp down on our common oppressors and imbue ourselves with the power and freedom we deserve.”

With those words in mind, perhaps the adage that’s floated around since the beginning of the computer and Internet ages is finally coming true:

The geeks shall inherit the Earth.