As I write this, it’s been about 24 hours since the hacking collective known as Lulzsec scuttled their ship and scattered to the four winds. There’s been a lot of speculation as to what motivated the 50 days of hacking that has stirred up quite a bit of talk about exploiting security holes as well as what would cause the poster children of anti-sec hacking to disappear as quickly as they emerged.
Lulzsec emerged almost two months ago from the fires of the now-infamous Sony PSN hack. It appears to have been formed by some of the Gn0sis people that hacked into the Gawker Media database and some other disaffected members of Anonymous. After they popped up on the radar, they started posting a lot of supposedly secured information about all manner of things, from X-Factor contestant databases to FBI security contractors. They also participated in other hacks, like taking cia.gov offline for a few hours. Most recently, they posted a dump of the Arizona Department of Public Safety servers and some 750,000 AT&T subscriber accounts. Their activities have caused a lot of questions about perimeter security and probably cost a few security professionals their jobs.
To Lulzsec, this was all a game. A giant F-you to the whole security community at large. Their manifesto reads a lot like some teenagers I know. They do what they want, how they want, when the want. At first, there was no rhyme or reason to their attacks. Later, they started talking about their “anti-sec” agenda, the idea that information shouldn’t be buried and needs to be disseminated by whatever means necessary. Indeed, their anti-sec agenda also extended to the idea that people with inadequate security needed to be exposed and publicly embarrassed to resolve these issues.
Just as soon as they burst into the limelight, Lulzsec announced they were disbanding. Theories abound as to the reason for their dissolution. Did the feds get to close? Was the lifting of the anonymous veil through leaking of personal information the last straw? Did they simply get bored? Answers won’t be forthcoming from the members themselves. They seem to have faded right back into the anonymity they spawned from. I think the answer to what is going on probably lies somewhere in the middle of all these things.
The Lulzsec hacks appear to have mostly centered around SQL injections. The time-honored tradition of exploiting databases with carefully crafted packet strings continues to be quite popular even today. I think Lulzsec used this attack vector to great success against Sony and a couple of other choice targets up front. After their initial success, their patterns seemed to be haphazard. I think this is due to the nature of using their one attack against a variety of sites rather than targeting specific ones. It was a brute force method of anarchy, kind of like using a screwdriver to do all your tool-related tasks. It works really well for screwing, but not so well for hammering or sawing. Once they managed to expose the FBI partner databases and take down the CIA’s small public facing webserver, that brought significant attention from all angles, not typically something you want if you are trying to stay anonymous. Then, other groups inside the scene started either getting jealous of the attention or decided to fight fire with fire. That led to d0xing, the term used to describe the leaking of personal information that can be used to identify someone. Through exposure in the public and the looming investigation from some upset 3-letter agencies, I think the first members to jump the Lulz Boat left here. Rather than face what might be coming, they ducked out and headed back to the darkness that had protected them so well. This has been somewhat confirmed in interviews with the publicly-known members.
The remaining Lulzsec members then seemed to have gone on a recruitment drive. They tried to bring more talent into the fold. I don’t think this newer group was quite as determined or successful as the first, though. That led to a slowdown in target penetration. You might argue that they’ve been releasing stuff right up to the end. True…but all we know is that those sites were hacked, we don’t know when. For all we know, AT&T could have been the second site they hacked. AT&T was their ace in the hole. If they were for real and ready to keep going for a long time to come, they would have released AT&T right away. By putting it away and saving it for last, it appears they wanted one big splash before they were forgotten. A vigorous, active Lulzsec would have been able to keep hitting bigger targets than AT&T. After their success rate started dropping off, I think the remaining “old” members of Lulzsec probably did get bored. Without new conquests to fuel their fame, the rush wasn’t there any more. They decided to go out with a bang and quit while they were still ahead. The remaining new recruits will probably go on to be folding into newer organizations that spring up in place of Lulzsec, the new breed to SQL injectors (or whatever is next), just like the Lulz Boat appears to have sailed with many Gn0sis crew members on board.
The black hat in me cheered Lulzsec for what they’ve accomplished. The white hat is appalled. Again, the truth lies somewhere in the middle. I look at Lulzsec like the Joker in The Dark Knight. A group of anarchist hackers that just want to have fun and burn everything down around them. No agenda, no statements, just exploitation for fun. A group of chaotic neutral script kiddies. However, the very limelight they sought burned them enough to force them back into the shadows. The way I look at it, the key to being a successful hacker is to not get caught. Don’t get famous, and definitely don’t draw attention to yourself. Kevin Mitnick had to learn that the hard way. Something tells me that more than one of the passengers of the good ship Lulz will learn it the same way sooner rather than later.