The Lesson of Recent Hacktivism

itwbennett writes "LulzSec says they're retired, which may or may not be true. But one thing the world has learned from their 'frightening yet funny escapades is that 'the state of online security stinks,' writes blogger Tom Henderson. LulzSec (and Anonymous) have 'demonstrated that an awful lot of people are either asleep at the switch or believed in arcane security methods like security through obscurity.'" A related story at the Guardian suggests that governmental attempts to control the internet are spurring these activities.

Re:Twitter:

Its a site that allows celebrities & famous people to make twats of themselves by not speaking through agents, PR or lawyers.

Yikes. Coffee. Smell. Up. Getting.

They believed that money spent on security products == we are secure. They were not asleep. They did not believe in security through obscurity. They trusted the industry. They gave it money in return for products that were supposed to protect them. They lived in ignorant bliss. Unfortunately, the security industry (and the rhetoric they proclaim) is all about the end goal of the industry making money. Companies are lured into a false sense of security based on what they are being told, and what they spend money on - and it seems totally reasonable from their perspective. Unfortunately, the public (and the victim companies) are not aware of one tenth of one percent of what is actually going on. Any company that has anything worth significant financial value is either compromised or is a target with a big bulls eye on their gold stash - guaranteed.

Re:Yikes. Coffee. Smell. Up. Getting.

[rtfa-troll]

They believed that money spent on security products == we are secure. They were not asleep..

Except that, according to the reports, Sony had servers for development which were fully protected with firewalls etc. and which were not hacked / hackable (by LulzSec) and other servers for customer data where they hadn't made any investment. So they hadn't spent that money. You may be right they weren't asleep. Someone made a conscious choice that customer data is not important, but it's not that they had made any of the investment they should have done.

Re:Yikes. Coffee. Smell. Up. Getting.

[phantomfive]

It's been my experience that most companies aren't even spending money on security. If they are even thinking about security, they are ahead of most. Many companies are leaving wide open, simple holes, like failing to escape their SQL, or parse out javascript. That is the lowest-hanging fruit. Really, it wouldn't surprise me if you could use Metasploit and nothing else to break into 20% of the major websites in the world.

If you're a web developer, let it be a lesson to you: download some basic hacking tools and try them out on your own website. You'll definitely learn something.

Re:Yikes. Coffee. Smell. Up. Getting.

[jhoegl]

Or it could be that the person in charge of Development was smart enough to invest in it because they knew better and the person in charge of Customer Data was not.
We could come up with many scenarios, the only ones that know what happened internally are not going to speak out about it willingly.
One thing is for sure, what I have seen in the small business world is a mirror to big business. It IS ignorance at some level in the corporate model.
Ironically, this same model helps bring down corporations and small businesses alike. All it takes is one bad stone at the right point in the pyramid to make it all come crumbling down.

Re:Yikes. Coffee. Smell. Up. Getting.

[CodeBuster]

They were not asleep. They did not believe in security through obscurity. They trusted the industry.

It has often been said, by Bruce Schneier and others, that security is not a product that can be purchased, installed after the fact and forgotten, but rather an attitude and culture that must be cultivated and maintained. Knowledge and tools are important, but without the right attitudes and culture they will be of limited use. Remember that nobody cares more about your security than you do. If you don't care then nobody else will either, despite what they may tell you.

Re:Yikes. Coffee. Smell. Up. Getting.

[c0lo]

Actual security is ridiculously expensive and there is not a willingness to put up with that level of expense

The cost of risk prevention: if the cost if risk mitigation is lower (no matter if people are burnt) there you have it.
Far easier to them to externalize the cost and lobby for DCMA and anti-hacking laws - it's the populace that pays for the jail time.

Re:Yikes. Coffee. Smell. Up. Getting.

[hairyfeet]

This reminds me of an old story i was told by a teacher: A friend of his goes in to do some hired gun work for this company and gets told by the PHB he is NOT allowed under ANY circumstances to touch the NT 3.whatever server box. It has run great for years and he don't care if it is out of date, it works so just clean the fans and go on. Now since he had worked with NT 3.whatever before he didn't see how this machine had been doing its job all these years without a single fail. So he logs into it and what does he find? It is actually some version of Fedora. apparently the guy before him got tired of the BS and just changed it out without telling the PHB.

And it is THIS, this right here, that is often the problem. It isn't that the IT guys don't want to do a good job, it is that some PHB is cockblocking them at every turn. I myself ran into this doing some hired gun for a law firm. I told them I didn't have time to support the place but I recommended a couple of different guys who could do the job well. they had experience, their prices were reasonable, so what happened?

Somebody decided they cost to much and "he knew a guy" that was "a whiz at computers" and could do it for half the price. I get called back a year later when they catch this clown running a gaming server and downloading porn on company time and...wow. he had first of all took ALL the nice neat Dell office boxes, which were standard MOR office machines, and chunked them because they were "too slow" and instead custom built a bunch of gamer rigs from kits so of course nothing matched, then since he didn't know shit about corporate networking he bought a bunch of Dlink home routers you know, the shitty blue ones? Oh and that is not all he had more than half a dozen ISPs as his idea of "adding capacity" was just to add another ISP.

So needless to say fixing that clusterfuck wasn't cheap, neither for me nor all the hardware I had to buy to replace his gamer shit, so did the guy that caused this mess get punished? Nope he had already got promoted a couple of times for all the money he saved them on "IT costs" and was no longer in charge of anything IT and therefor didn't get the blame...ARGH!

So if you want to know why networks are a mess, it often ain't the IT guy (except for gamer retard) it is the stupid ass, dumb shit, WTF are they thinking, Dilbert bullshit that goes on every single damned day in this country. The PHBs get rewarded for saving money even if that money was saved by sacking anyone who knew what the fuck was going on, they cause one clusterfuck after another, but ultimately they don't care because they either fail up or use their "success story" to move to another comapny.

This is why i had to get out of corporate and open my little shop, as the stress of absolute insane stupidity was giving me chest pains. It was like a friend who ended up being threatened with losing his job and got drug before the regional head. The PHB above him wanted him fired because, and I quote "You have NO RIGHT to tell me who i can and can't talk to! I demand you give me my emails from Melissa right now!". He got lucky that the regional head actually watched the news so he went "He isn't talking about the virus, is he?" and when he found out that yes, senior bigfool wanted Glenn to let Melissa loose on the network the PHB got a dressing down and Glenn got an apology and a free steak dinner.

But it is that kinda of rampant herp derp that is the cause of this bullshit and frankly I don't see how some script kiddies are gonna undo decades of upward failure and PHBs. Oh and what you are talking about is what me and my friends called "black box thinking" which sadly I saw every time the salesmen came around. You wine and dine the PHB and give the "This (insert device) will make you (insert hacker, virus,fool) proof!" and sadly they'd bite 9 times out of 10. Needless to say the shit never worked like it was sold, but since the PHB never got dinged for it who cares, right?

Re:Yikes. Coffee. Smell. Up. Getting.

[Dunbal]

I hate it when this excuse is used. And it's used often in business in many areas, not just security. It's the junior manager's way out - the way to duck and hide behind someone else. But while it's true a contractor, agency, or someone else will never do as good a job as you would if you did it yourself - at the end of the day it's the responsibility of the guy who approved and signed the cheque. If you don't even take the time to review the work you contracted, if you don't even bother to keep ONE person around who has any notion of how the work should be done and get him/her to go over it and approve it before it's accepted, then my friend, you deserve the good anal fucking that you are about to get.

Re:Yikes. Coffee. Smell. Up. Getting.

[jellomizer]

So why would you put less trust in an new hire employee then a contractor. It isn't the contractor fault or choosing a contractor sometimes they can offer really good quality work for less cost then hiring (no matter what the Union propaganda tells you) The problem falls back into management. If you hire a contractor to do the work and especially if you have never worked with them before you really cannot fully trust his code. You will need to audit it, and check it. Just because they do it for a living it doesn't mean they are any good at it? If the company doesn't care about security neither will the contractor. If the company cares about security so will the contractor.

For a lot of these outsourced companies they are tailored towards low cost. As that is what they wanted, if they wanted higher quality then it will cost them.
There is a ven diagram for this. You have Cheap, Fast, and Good you can only pick two.

Re:Yikes. Coffee. Smell. Up. Getting.

[DRBivens]

In my experience, the COST of security matters much less to people than does the INCONVENIENCE it entails. Many organizations are quite willing to spend money on security hardware, software, and services. Secure implementations can be defeated by authorized users who either perceive the security as inconvenient or unnecessarily harsh ("I'm not going to lock my screen before I get coffee; I'll only be gone for a couple of minutes.")

One solution might consist of better user training coupled with better security design (protect truly secret data but don't worry about disclosure of information freely obtainable by outsiders via mechanisms like FOIA, stockholder inquiry, etc.)

It's a challenge, regardless of what you have to protect--or how you choose to protect it.

Regarding Lulzsec

LulzSec might have ended, but I can guarantee you the exact same stuff is happening underground, except this time you probably won't know all your information has been stolen. Other than exposing corrupt whitehats I don't really agree with their actions, but I'm not sure if the alternative of keeping it in the hands of underground blackhats and IRC scriptkiddies is any better (not that is wasn't going on during LulzSec as well, but still).

Regardless, the AntiSec movement seems to be picking up some steam, at least within Brazil (protests are planned for July 2nd), and the first AntiSec release has just been posted to Pirate Bay: http://thepiratebay.org/torrent/6502765 with more promised tomorrow.

Regardless of their "supposed" script kiddie status (they did break into a hacking contest website and turned down the 10k), I think it was smart for them to disband and take up a greater cause, and I guess time will tell if they are successful or just run out of water.

Re:I disagree

[Triv]

V for Vendetta? Seriously? That quote's from W.B. Yeats: Turning and turning in the widening gyre The falcon cannot hear the falconer; Things fall apart; the centre cannot hold; Mere anarchy is loosed upon the world, http://www.potw.org/archive/potw351.html Credit where it's due.

Simple reason: Nobody wants security

[Opportunist]

Nobody wants security. Everyone wants compliance.

From an auditor's point of view, it's very easy to explain the reason why the security in most companies is at a level that's not even laughable. No company is interested in it. What they want is certificates, they want their ISO27k and their PCI-DSS, but not because they want them to know for themselves that they're secure, they want them to display to others that they are, so they can get contracts or are compliant with legal requirements to be allowed to do something.

Now, some might think security and compliance with security requirements is the same. Both mean that you "want" security. And that's the fallacy. Security is something you want yourself. You want security because you want to be secure. Security is in this case the primary interest and the focus by itself. Compliance is something that is forced onto you. You want security because someone else wants you to be secure. Security is in this case only the means to the goal, be it to conform with legal requirements to continue operations or be it to be allowed to process credit card payment.

Within the last decade or so, the number of companies where I actually had the idea that they wanted security for themselves, even if only as a side effect to the compliance requirements, was very, very low. Most want to get done with it, preferably fast and without hassle. If the compliance requirement is that your door is locked and barred but doesn't say anything about your windows, they won't even listen to you if you tell them they have no windows but just big holes in the wall. Their door is sealed, that suffices to be compliant. The windows? Not part of the compliance requirement, we don't care.

Re:Simple reason: Nobody wants security

[Tom]

Disclaimer: I've worked in compliance until recently, but my background is security.

The problem you outline is real, but you are missing a point: Compliance got traction because companies don't invest in security. The risk/reward just doesn't work out. A million credit cards lost? The PR to fix that is a lot cheaper than the security investment to prevent it. And the real damage isn't for you, it's for the credit card holders and their companies.

That's why compliance became so big, because too many people realized that unless you force them, companies won't do security. The same way that airbags in cars didn't become standard issue until some laws were passed. Human beings are horrible at risk management for everything that falls outside our daily experience.

The quality of your compliance managers determines if you're just following the book, or actually bringing an advantage to the company. I proud myself on IT management being happy they had me (I wasn't part of IT, to them I was an outsider from the finance department, the compliance hand of the CFO). You can do compliance in a way that IT doesn't hate and that gives you actual benefits.

Unfortunately, too few compliance managers are IT people, much less IT security experts. Which leads to them doing things "by the book". Or, as it's called in other contexts: Work-to-rule. As we all know, that's not work, that's sabotage.

Screw vandalism, especially on "soft targets"

[schnell]

Here's the thing: information security, just like any other type of security or insurance, is completely relative.

My dinky little websites have adequate capacity to serve the few hundreds of people a day who visit them, but would not withstand a Slashdotting or DDoS. My house is secure enough to resist a burglar, but not secure enough to resist a Navy SEAL strike team. Does this mean I'm negligent? No, it means that I could spend thousands of dollars on additional infrastructure for security or capacity but I choose not to because it's highly unlikely I would need to.

That's why the example of LulzSec is pathethic and not instructional. There are lots of "soft targets" on the Internet (in terms of security or capacity) that you could take down pretty easily if you wanted to, just because those sites can't justify full-time security teams or massively extensible infrastructures. I'm not talking about high-profile sites like Sony or the CIA, but stuff like EVE login servers or some county in Arizona. A bunch of douchebag script kiddies taking down some MMO server doesn't necessarily mean that anyone was truly "negligent," it just means that they picked easy targets. And there is not, nor will ever be, a shortage of easy targets on the Internet if you're willing to aim at those.

Re:Screw vandalism, especially on "soft targets"

[wvmarle]

I don't agree with your analogy, as physical and digital security are too different. Not many houses can stand a SEAL attack, yet it is perfectly possible to connect a computer to the Internet with zero vulnerabilities (think OpenBSD).

Secondly, after a few decades of research that is still ongoing, there are plenty of known practices that make it easy to quite thoroughly secure a server. These issues include (list from memory, mainly related to recent attacks where this was the exact vulnerability):

• ssl set up to log in without password,
• SQL injection prevention (just escaping the input prevents most if not all of them - many libraries do this out of the box for you),
• set a session cookie after log-in, and use it,
• not storing passwords as plaintext but as (salted) hash - a preventative measure for in case you do get hacked,
• separate databases, and giving the web-facing script a separate user in the database with minimum permissions - so in case the server does get hacked the attacker still can not see much,
• a port-forwarding firewall letting through only traffic to the ports you need.

That's what I can think of, from the top of my hat. All of them are easy to implement - and when implemented will prevent most attacks from happening. Sure you won't be immune to zero-day attacks on your web server software, or other services. But it limits the attack vectors a lot already.

Not following such "best practice" standards I would call negligence.

Now I readily admit that my own server is also not configured perfectly, there is a bit of "security through obscurity" too of course. Yet I have a software-firewall blocking all but whitelisted ports, my SQL queries are sent to the database through a library that does the escaping and so for me, preventing SQL injection attacks automatically. No-one else has ssl access, so no way you can social engineer the password from me. Oh yeah and I don't need to store any personal details of visitors there, that also helps.

Most of these attacks appear to be SQL injection related. And that is easy to prevent: the MySQLdb module for Python is doing that for you already. That only leaves tests like type checking ("I expect an integer value - let's see if this string can be converted to integer"), and value checking ("this string should be no more than 20 characters", "this should be a positive integer, not larger than 100").

And indeed there will always be lots of soft targets - yet companies that take user's personal details must not be a soft target. High-profile web sites should also know that they will be a target of hackers (the higher the profile, the bigger the lulz for a successful attack after all), and as such have also no excuse to be a soft target. Yet it is several of those that have been proven to be pretty soft targets.

Re:I disagree

[Raenex]

I swear to fucking god - look at how my posts are modded on this thread.

Don't bring up Bush and claim your post isn't flamebait. I mean, seriously, this is what you said:

"I actually blame the parents (the Bush-haters) for breeding such a bunch of twats as LulzSec. Please don't mark this down as flamebait"