Thursday, 21 July 2011
CASE 326 - LulzSec
Lulz Security, commonly abbreviated as LulzSec, is a 6 man computer hacker group that claims responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline. The group has been described as a "cyber terrorism group" by the Arizona Department of Public Safety after their systems were compromised and information leaked. Other security professionals have applauded LulzSec for drawing attention to insecure systems and the dangers of password reuse. It has gained attention due to its high profile targets and the sarcastic messages it has posted in the aftermath of its attacks.
At just after midnight (BST) on 26 June 2011, LulzSec released a "50 days of lulz" statement, which they claimed to be their final release, confirming that LulzSec consisted of six members, and that their website is to be taken down. This breaking up of the group was unexpected. The release included accounts and passwords from many different sources. Despite claims of retirement, the group committed another hack against newspapers owned by News Corporation on 18 July, defacing them with false reports regarding the death of Rupert Murdoch. London Metropolitan Police have announced the arrests of two teenagers they allege are LulzSec members T-flow and Topiary. The group helped launch Operation AntiSec, a joint effort involving LulzSec, Anonymous, and other hackers.
LulzSec draws its name from the neologism "Lulz", (from LOLs), "laughing out loud", which often signifies laughter at the victim of a prank, and "Sec," short for "Security". The Wall Street Journal has characterized its attacks as closer to Internet pranks rather than serious cyber-warfare, while the group itself claims to possess the capability of stronger attacks. It has gained attention in part due to its brazen claims of responsibility and lighthearted taunting of corporations that have been hacked. It frequently refers to Internet memes when defacing websites. The group first emerged in May 2011, and has successfully attacked the websites of several major corporations. It specializes in finding websites with poor security, and then stealing and posting information from them online. It has used well-known straightforward methods, such as SQL injection, to attack its target websites. Several media sources have described their tactics as grey hat hacking. Members of the group may have been involved in a previous attack against the security firm HBGary.
The group has used the motto "Laughing at your security since 2011!" and its website, created in June 2011, plays the theme from The Love Boat. It announces its exploits via Twitter and its own website, often accompanied with lighthearted ASCII art of boats. Its website also includes a Bitcoin donation to help fund its activities. Although exact motivation of the group is unknown, Ian Paul of PC World has written that, "As its name suggests, LulzSec claims to be interested in mocking and embarrassing companies by exposing security flaws rather than stealing data for criminal purposes." The group has also been critical of white hat hackers, claiming that many of them have been corrupted by their employers.
Some in the security community have lauded them for raising awareness of the widespread lack of effective security against hackers. They have also been credited with inspiring LulzRaft, a group which has been implicated in several high-profile website hacks in Canada.
The group's first recorded attack was against Fox.com's website. It claimed responsibility for leaking information, including passwords, altering several employees' LinkedIn profiles, and leaking a database of X Factor contestants containing contact information of 73,000 contestants. They claimed to do so because the rapper Common had been referred to as "vile" on air.
The group has begun taking suggestions for sites to hit with denial-of-service attacks. The group has also been redirecting telephone numbers to different customer support lines, including the line for World of Warcraft, magnets.com, and the FBI Detroit office. The group claims this sends five to 20 calls per second to these sources, overwhelming their support officers. On 24 June 2011, The Guardian released leaked logs of the one of the group's IRC chats, revealing that the core group is a small group of hackers with a leader Sabu who exercises large control over the group's activities. It also reveals that the group has connections, though is not formally affiliated with, Anonymous. Some LulzSec members had once been prominent Anonymous members, including member Topiary.
At just after midnight (GMT) on the twenty-sixth of June, LulzSec released a "50 days of lulz" statement, which they claimed to be their final release, confirming that LulzSec consisted of six members, and that their website is to be taken down. The group claimed that they had planned to be active for only fifty days from the beginning. "We're not quitting because we're afraid of law enforcement. The press are getting bored of us, and we're getting bored of us." a group member said in an interview to The Associated Press. Members of the group have been reported to have joined with Anonymous members to continue the AntiSec operation. However, despite claiming to retire, the group attacked the websites of British newspaper The Times and The Sun on 18 July, leaving a false story on the death of owner Rupert Murdoch.
Members and associates
LulzSec consists of six core members. The online handles of these six have been established through various attempts by other hacking groups to release personal information of group members on the internet, leaked IRC logs given to The Guardian, and through confirmation from the group itself.
Sabu – One of the group's founders who seemed to act as a kind of leader for the group, often Sabu decides what targets to attack next and who could participate in these attacks. He may have been part of the Anonymous group that hacked HBGary. Various attempts to release his real identity have claimed that he is an information technology consultant with the strongest hacking skills of the group and a knowledge of the Python programming language.
Topiary – Topiary is also a suspected former member of the Anonymous AnonOps, where he used to perform media relations, including hacking the website of the Westboro Baptist Church during a live interview. Topiary ran the LulzSec Twitter account on a daily basis; following the announcement of LulzSec's dissolution, he deleted his own Twitter page. Police arrested a man from Shetland, United Kingdom suspected of being Topiary on 27 July 2011. The man was later identified as Jake Davis and was charged with five counts, including unauthorized access of a computer and conspiracy.
Kayla – Also identified as "lol" in LulzSec chat logs, Kayla owns a botnet used by the group in their distributed denial-of-service attacks. The botnet is reported to consist of about 8,000 infected computer servers. Kayla also may have participated in the Anonymous operation against HBGary.
T-flow – The fourth founding member of the group identified in chat logs, attempts to identify him have labelled him a PHP coder, web developer, and performer of scams on PayPal. The group placed him in charge of maintenance and security of the group's website lulzsecurity.com. London Metropolitan Police announced the arrest of a 16 year-old hacker going by the handle Tflow on 19 July 2011.
Avunit – He is one of the core six members of the group, but not a founding member. He left the group after their self-labelled "Fuck the FBI Friday". He was also affiliated with Anonymous AnonOps HQ.
Pwnsauce – Pwnsauce joined the group around the same time as Avunit and became one of its core members.
Associates and former members include:
M_nerva – M_nerva, once a member of the group, leaked some of the group's chat logs to The Guardian. May have participated with LulzSec in the attack on Fox.com. In response to the leak, LulzSec published M_nerva's personal information and records of the illegal hacking activity performed with them.
Joepie91 – Though he is one of the most frequent participants in LulzSec IRC chat logs, the group stated that he is not a core member.
Neuron – Neuron is not a core member of the group, but may have supported them by building software and taking part in some of their distributed denial-of-service attacks. He is thought to be an engineering student in the United States.
Ryan Cleary – A 19-year-old from Essex, United Kingdom who was arrested by Metropolitan Police on 21 June 2011 and charged with violating the Computer Misuse Act and the Criminal Law Act 1977. Though not a member of the group, LulzSec admitted that he did run one of the IRC channels that they used for communicating.
An ASCII graphic used by the group in its Chinga La Migra torrent, an associated statement, and also appearing in press coverage.
LulzSec does not appear to hack for financial profit. The group's claimed main motivation is to have fun by causing mayhem. They do things "for the lulz" and focus on the possible comedic and entertainment value of attacking targets. The group occasionally has claimed a political message. When they hacked PBS, they stated they did so in retaliation for what they perceived as unfair treatment of Wikileaks in a Frontline documentary entitled WikiSecrets. A page they inserted to the PBS website included the title "FREE BRADLEY MANNING. FUCK FRONTLINE!" The 20 June announcement of "Operation Anti-Security" contained justification for attacks on government targets, citing supposed government efforts to "dominate and control our Internet ocean" and accusing them of corruption and breaching privacy. The media has most often described them as grey hat hackers.
Karim Hijazi, CEO of security company Unveillance, has accused the group of blackmailing him by offering not to attack his company or its affiliates in exchange for money. LulzSec responded by claiming that Hijazi offered to pay them to attack his business opponents and that they never intended to take any money from him. LulzSec has denied responsibility for misuse of any of the data they breach and release. Instead, they place the blame on users who reuse passwords on multiple websites and on companies with inadequate security in place.
In June 2011, the group released a manifesto outlining why they perform hacks and website takedowns. In it they reiterated that "we do things just because we find it entertaining" and that watching the results can be "priceless". However, they also claim to be drawing attention to computer security flaws and holes. They contend that many other hackers exploit and steal user information without releasing the names publicly or telling people they may possibly have been hacked. LulzSec said that by releasing lists of hacked usernames or informing the public of vulnerable websites, it gives users the opportunity to change names and passwords elsewhere that might otherwise have been exploited.
The group's latest attacks have had a more political tone. They claim to want to expose the "racist and corrupt nature" of the military and law enforcement. They have also expressed opposition to the War on Drugs. Lulzsec's Operation Anti-Security has been characterized as a protest against government censorship and monitoring of the internet. In a question and answer session with BBC Newsnight, LulzSec member Whirlpool said, "Politically motivated ethical hacking is more fulfilling". He claimed the loosening of copyright laws and the rollback of what he sees as corrupt racial profiling practices as some of the group's issues.
The group's first attacks came in May 2011. Their first recorded target was Fox.com, which they retaliated against after they called Common, a rapper and entertainer, "vile" on the Fox News Channel. They leaked several passwords, LinkedIn profiles, and the names of 73,000 X Factor contestants. Soon after on 15 May, they released the transaction logs of 3,100 Automated Teller Machines in the United Kingdom. In May 2011, members of Lulz Security gained international attention for hacking into the American Public Broadcasting System (PBS) website. They stole user data and posted a fake story on the site which claimed that Tupac Shakur was still alive and living in New Zealand. In the aftermath of the attack, CNN referred to the responsible group as the "Lulz Boat".
Lulz Security claimed that some of its hacks, including its attack on PBS, were motivated by a desire to defend WikiLeaks and Bradley Manning. A Fox News report on the group quoted one commentator, Brandon Pike, who claimed that Lulz Security is affiliated with the hacktivist group Anonymous. Lulz Security claimed that Pike had actually hired it to hack PBS. Pike denied the accusation and claims it was leveled against him because he said Lulz Security was a splinter of Anonymous.
In June 2011, members of the group claimed responsibility for an attack against Sony and took data that included "names, passwords, e-mail addresses, home addresses and dates of birth for thousands of people." The group claimed that it used a SQL injection attack, and was motivated by Sony's legal action against George Hotz for jailbreaking into the PlayStation 3. The group claims it will launch an attack that will be the "beginning of the end" for Sony. Some of the compromised user information has since been used in scams. The group claimed to have compromised over 1,000,000 accounts, though Sony claims the real number was around 37,500