The Lesson of Recent Hacktivism

itwbennett writes "LulzSec says they're retired, which may or may not be true. But one thing the world has learned from their 'frightening yet funny escapades is that 'the state of online security stinks,' writes blogger Tom Henderson. LulzSec (and Anonymous) have 'demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.'" A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.

Regarding Lulzsec

LulzSec might have ended, but I can guarantee you the exact same stuff is happening underground, except this time you probably won't know all your information has been stolen. Other than exposing corrupt whitehats I don't really agree with their actions, but I'm not sure if the alternative of keeping it in the hands of underground blackhats and IRC scriptkiddies is any better (not that is wasn't going on during LulzSec as well, but still).

Regardless, the AntiSec movement seems to be picking up some steam, at least within Brazil (protests are planned for July 2nd), and the first AntiSec release has just been posted to Pirate Bay: http://thepiratebay.org/torrent/6502765 with more promised tomorrow.

Regardless of their "supposed" script kiddie status (they did break into a hacking contest website and turned down the 10k), I think it was smart for them to disband and take up a greater cause, and I guess time will tell if they are successful or just run out of water.

Re:Yikes. Coffee. Smell. Up. Getting.

The problem is the opposite. Actual security is ridiculously expensive and there is not a willingness to put up with that level of expense, especially not since any security you have, no matter how well done, can still be breached by someone who is sufficiently determined. So when few are willing to pay for actual security, and put up with the inconvenience required by actual security, you get products that try to patch things up a little bit for a much reduced cost. The much reduced cost may still be significant, but it is nowhere near the cost of actual security.

Screw vandalism, especially on "soft targets"

[schnell]

Here's the thing: information security, just like any other type of security or insurance, is completely relative.

My dinky little websites have adequate capacity to serve the few hundreds of people a day who visit them, but would not withstand a Slashdotting or DDoS. My house is secure enough to resist a burglar, but not secure enough to resist a Navy SEAL strike team. Does this mean I'm negligent? No, it means that I could spend thousands of dollars on additional infrastructure for security or capacity but I choose not to because it's highly unlikely I would need to.

That's why the example of LulzSec is pathethic and not instructional. There are lots of "soft targets" on the Internet (in terms of security or capacity) that you could take down pretty easily if you wanted to, just because those sites can't justify full-time security teams or massively extensible infrastructures. I'm not talking about high-profile sites like Sony or the CIA, but stuff like EVE login servers or some county in Arizona. A bunch of douchebag script kiddies taking down some MMO server doesn't necessarily mean that anyone was truly "negligent," it just means that they picked easy targets. And there is not, nor will ever be, a shortage of easy targets on the Internet if you're willing to aim at those.

Re:Screw vandalism, especially on "soft targets"

[wvmarle]

I don't agree with your analogy, as physical and digital security are too different. Not many houses can stand a SEAL attack, yet it is perfectly possible to connect a computer to the Internet with zero vulnerabilities (think OpenBSD).

Secondly, after a few decades of research that is still ongoing, there are plenty of known practices that make it easy to quite thoroughly secure a server. These issues include (list from memory, mainly related to recent attacks where this was the exact vulnerability):

• ssl set up to log in without password,
• SQL injection prevention (just escaping the input prevents most if not all of them - many libraries do this out of the box for you),
• set a session cookie after log-in, and use it,
• not storing passwords as plaintext but as (salted) hash - a preventative measure for in case you do get hacked,
• separate databases, and giving the web-facing script a separate user in the database with minimum permissions - so in case the server does get hacked the attacker still can not see much,
• a port-forwarding firewall letting through only traffic to the ports you need.

That's what I can think of, from the top of my hat. All of them are easy to implement - and when implemented will prevent most attacks from happening. Sure you won't be immune to zero-day attacks on your web server software, or other services. But it limits the attack vectors a lot already.

Not following such "best practice" standards I would call negligence.

Now I readily admit that my own server is also not configured perfectly, there is a bit of "security through obscurity" too of course. Yet I have a software-firewall blocking all but whitelisted ports, my SQL queries are sent to the database through a library that does the escaping and so for me, preventing SQL injection attacks automatically. No-one else has ssl access, so no way you can social engineer the password from me. Oh yeah and I don't need to store any personal details of visitors there, that also helps.

Most of these attacks appear to be SQL injection related. And that is easy to prevent: the MySQLdb module for Python is doing that for you already. That only leaves tests like type checking ("I expect an integer value - let's see if this string can be converted to integer"), and value checking ("this string should be no more than 20 characters", "this should be a positive integer, not larger than 100").

And indeed there will always be lots of soft targets - yet companies that take user's personal details must not be a soft target. High-profile web sites should also know that they will be a target of hackers (the higher the profile, the bigger the lulz for a successful attack after all), and as such have also no excuse to be a soft target. Yet it is several of those that have been proven to be pretty soft targets.

Re:Yikes. Coffee. Smell. Up. Getting.

[rtfa-troll]

They believed that money spent on security products == we are secure. They were not asleep..

Except that, according to the reports, Sony had servers for development which were fully protected with firewalls etc. and which were not hacked / hackable (by LulzSec) and other servers for customer data where they hadn't made any investment. So they hadn't spent that money. You may be right they weren't asleep. Someone made a conscious choice that customer data is not important, but it's not that they had made any of the investment they should have done.

Re:Yikes. Coffee. Smell. Up. Getting.

[jhoegl]

Or it could be that the person in charge of Development was smart enough to invest in it because they knew better and the person in charge of Customer Data was not.
We could come up with many scenarios, the only ones that know what happened internally are not going to speak out about it willingly.
One thing is for sure, what I have seen in the small business world is a mirror to big business. It IS ignorance at some level in the corporate model.
Ironically, this same model helps bring down corporations and small businesses alike. All it takes is one bad stone at the right point in the pyramid to make it all come crumbling down.