Archive
Laughing at your security – It’s been a long 50-odd days for the Lulz Boat
Laughing at your security – the Lulz Boat.
How the media went along for the Lulz Boat ride
27 June 2011 | 13:02 | @arturodetexas
So, the LulzSec hacker group says it has disbanded – but in less than two months they’ve changed the relationship between hackers and the media.
It’s been a long 50-odd days for the Lulz Boat, those fun-loving hackers sailing under the Twitter handle of LulzSec. If you hadn’t gleaned it by now, the name translates as ‘laughing at your security.’
And that’s what the loose collective has been doing.
We’ve seen LulzSec make a mockery of Sony, the US Senate, CIA and FBI pages, countless security firms (maximum lulz there), PBS (who could forget the fake story reporting on rapper Tupac, alive in New Zealand), lots of gaming companies, and their first prominent target, X Factor contestants who found their application and contact details leaked on the web.
But, of course, so-called ‘grey hat’ hacking/cracking attempts aimed at the disruptive outing of poorly secured systems are not new.
And while they initially claimed they were acting just for the laughs, political leanings came into it later on, as they conceded in an interview with the BBC.
But this ‘hacktivist’ slant was also not new – let’s not forget the Anonymous crowd which LulzSec likely spawned from, which itself received widespread attention when engaging in ‘payback’ Denial of Service attacks on companies which acted against WikiLeaks.
No, new was the way in which this hacking group kept the media waiting on their every breach, joke and, importantly, tweet.
Tweeting out announcements, upcoming targets, jokes and more, LulzSec, has almost 282,000 followers at the time of writing – a figure which has rocketed up in recent weeks.
Even the most popular of the Anonymous Twitter accounts can only muster just over 100,000.
And there’s no doubt the half-dozen hackers who make up LulzSec took real interest in the mainstream media’s coverage of their work, as leaked chat logs confirmed last week.
Yet the more they attacked, the more they talked it up, and the more enemies they made.
A number of these are fellow hackers, who for a range of reasons, have fallen foul of the group.
A few weeks back I spoke to a member of the ‘Backtrace Security’ group referenced in the leaked logs – lead LulzSecer Topiary said they should go after Backtrace because they’d dared to attempt to expose them.
This hacker, formerly associated with Anonymous, was angered at LulzSec’s ‘ignorant vigilante nonsense’, and posted alleged names of the core members online months back. Recent chat logs confirmed the hacker names, but the real ones remain unconfirmed.
‘They think they’re invulnerable…but they’re being really, really sloppy’ he said, after claiming to get hold of the information via social engineering.
‘They are very stupidly overconfident.’
He claims the FBI approached him for the names, but in the murky world of chat rooms and stage-names, that can’t be confirmed – the FBI have told several media organisations they can’t comment on such investigations.
What’s not in doubt is the risky game being played – LulzSec have taken a lot of joy from tweeting about all the times they’ve supposedly been exposed, only to remain online.
So far, authorities have arrested people who appear to be loose associates of LulzSec at best, and the likely core members – Topiary, Sabu and Kayla included, keep tweeting.
Now, the group says it’s disbanded – and we’re yet to see someone at the centre of the group charged. (including the arrest of a 19 year-old alleged hacker in England last week)
Will the attacks continue?
I asked Murray Goldschmidt of Australia’s Sense of Security how many companies he worked with had faced attempted breaches.
‘I would say all of them’, he answered. ‘But they don’t necessarily know it’
‘They may have already been attacked but don’t have the ability to respond to it.’
Plenty of these may have been for reasons more spurious than having a laugh. But media organisations should not presume that just because a group of hackers delivers their news right to a journalists’ deskstop via a Twitter feed, that noone else has been at it the whole time.
What’s clear is that the textbook on how to get the media interested – indeed how to string them along – has been rewritten.
Recent attacks on Sega as well as the UK’s Office for National Statistics were denied by the group. Could someone else be leaking data just for the lulz? Probably.
So watch out for LulzSec Brazil, watch out for LulzSec Italy. Watch out for all sorts of groups who wouldn’t mind some mainstream media notoriety.
Because until someone gets sentenced for some very audacious attacks, you can expect more of the same.
LulzSec claims new international hacking victory
Image via Wikipedia
LulzSec claims to have brought down two Brazilian government websites in fresh attacks after a 19-year-old teenager from Essex was arrested, accused of being part of the hacker group.
In a tweet in the early hours of Wednesday morning, LulzSecBrazil wrote: “TANGO DOWN brasil.gov.br & presidencia.gov.br”
Another Twitter message from the main LulzSec page then added: “Our Brazilian unit is making progress. Well done @LulzSecBrazil, brothers!”
The websites are the official pages of the Brazilian Government and the President’s office, the equivalent of the Downing Street site.
Attempts to access the websites this morning proved unsuccessful and the attacks appeared to have swamped the pages with internet visits, causing them to crash.
The Brazilian government has become the latest high-profile victim claimed by LulzSec in a list which has allegedly included the CIA, the US Senate, the US television broadcaster PBS, Britain’s Serious and Organised Crime Agency and the technology firms Sony and Nintendo.
If the claims are accurate, it would not be the first time that LulzSec has reacted hard to attempts to damage it.
Yesterday, the group posted the private details, including the home addresses, of one hacker and his associate who “tried to snitch on us”, accusing the hacker of “countless cybercrimes”.
Addressing the post to the “FBI & other law enforcement clowns”, they signed off: “There is no mercy on The Lulz Boat. Snitches get stitches.”
Our Brazilian unit is making progress. Well done @LulzSecBrazil, brothers!less than a minute ago via web 
Favorite 
Retweet 
Reply
The Lulz Boat
LulzSec
The 19-year-old arrested in the UK on Monday night is Ryan Cleary, the son of a college lecturer. The teenager is accused of being a “major player” in LulzSec.
He was held in a raid at his family home in Wickford following a joint investigation between Scotland Yard and the FBI, which was also aimed at finding the hackers who breached security at the video games firms.
No messages were posted on the Twitter account of LulzSec for about 10 hours after the arrest before two denials came.
One read: “Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us. Lame”
Another read: “Seems the glorious leader of LulzSec got arrested, it’s all over now… wait… we’re all still here! Which poor b—–d did they take down?”
It was alleged last night that Mr Cleary was online in the middle of hacking when he was held. The arrest came hours after an anonymous internet user claiming to be from LulzSec threatened to publish the entire 2011 census database, though this was later dismissed as a hoax. A Scotland Yard spokesman said a “significant amount of material” had been seized from Mr Cleary’s family home by officers from its specialist e-crime unit, and would now be subjected to forensic examination.
Mr Cleary’s family expressed disbelief that the self-confessed computer “nerd” had anything to do with hacking. His mother Rita, 45, said her son “lives his life online” but she thought he had been playing computer games in his bedroom at the detached family home.
She added that, as he was led away by police, he told her he feared he would be extradited to America.
His older brother Mitchell, 22, said: “Ryan is obsessed with computers. That’s all he ever did. I was stunned to hear he had been arrested.
”He’s not the sort of person to do anything mad or go out and let his hair down or do anything violent. He stays in his room – you’ll be lucky if he opens the blinds, but that’s just family, isn’t it? I barely see him – I’m more of a football person – he’s more of an inside person.”
He said his brother had fallen out with people over WikiLeaks: “He used to be part of WikiLeaks and he has upset someone from doing that and they have made a Facebook page having a go at him.”
James Rounce, a neighbour of Cleary, said: “They moved in about 10 years ago and have been pleasant neighbours. I think he had been away at university and had come back for the holidays or because he had finished his exams. You could tell he was very bright just from the way he spoke and presented himself.”
Mr Cleary’s father Neil, 44, worked as musical director on the West End production of the Andrew Lloyd Webber musical Starlight Express. He later became a lecturer at Peterborough Regional College in Cambridgeshire and director of its orchestra. Nick Stamford, a former classmate of Ryan Cleary, said: “He used to spend a lot of time at home and that is when I think he got into computers. He was quite bright but he didn’t really have too many friends.”
LulzSec has emerged in recent weeks as a rival to the hacking group Anonymous, which targeted banks that had refused to process donations to the WikiLeaks website.
The organisation claimed credit for hacking into the accounts of Sony PlayStation users. On Monday it bombarded the website of the Serious and Organised Crime Agency with so much internet traffic it had to be taken offline.
Mr Cleary’s arrest is likely to lead to comparisons with the case of Gary McKinnon, the 45-year-old Briton fighting extradition to the United States, where he could face 60 years in jail if convicted of hacking into Pentagon and Nasa computers.
Arturo Detexas 