Jump to content

Lulz Security

Binaries

By Binaries
in Security

 Share

Recommended Posts

digip Newbie

digip

Posted
Posted

Whats your view on Lulz Security and their recent activity?

I think its two words that don't really go together. Finding flaws in systems that contain peoples credit cards and sharing that on pastebin, isn't funny. I think in a way, lulzsec is making people wake up to the fact that, hey, if we can find these flaws, damn sure criminals with worst intent could too, and for that, they are treading a fine line between being helpful and harmful to these companies at the same time. I think that if you have that kind of power, how you use it is important. I don't want to preach about ethics, as lulzsec and anonymous follow their own beliefs on that, and not to sound cliché, but to take a line from a Spiderman movie, "With great power, comes great responsibility". I'm sure there are channels that their groups could have went through to contact and inform these companies of their security flaws. If then the companies didn't take them seriously and step up to fix them, then sure, go full disclosure to the world, but I personally feel they could have brought it to the attention of the parties involved first.

Now, with respect to something like Sony. Sony in some manner of speaking kind of did this to themselves. Not even so much for the flaws that aloud them to get hacked a bezillion times over, but the fact that they went after modders and tinkerers who wanted to make their PlayStations do more than what they were intended to do, stifles innovation and fair use, and as such, enraged a whole community of people who probably went a little overboard in the attacks on them. Sony made their bed, now they can lay in it.

Lulzsec and anonymous had the potential to do a lot of good, but I think for the most part, they are interested more in fame, bragging rights, and the rush/high that comes from doing the things they are doing. Exposing flaws is commendable, and I applaud them for this. What they expose though, I think is not so commendable, when they share peoples info from these databases, or even keep for themselves, this is pretty much criminal activity, and for that, they can't complain when they get arrested from breaking the laws of various countries and places around the world. Kind of like Fight Club. First rule of fight club is you never talk about fight club. We all know how that turned out in the movie. It self imploded. Its already sort of happening with Anonymous and the splinters of people whom left and are attacking each other among themselves. Eventually I think they will bring themselves down from going after one another, and this will probably get really messy before its all over. The other thought is that there are other anti-sec movements and groups, and some that might not like lulzsec and anonymous, so rivalries among all these groups could come to a head eventually. Lulzsec and anonymous were rivals at first, but apparently have joined forces? Can't confirm that, but I imagine that in itself has caused a lot of tension within the groups already, from people in both camps who might not want this sort of joint venture in the first place, and wouldn't surprise me if we see two, or more groups split from them and start their own campaigns.

Its becoming very soap opera'ish at this point.

Link to comment
Share on other sites
CanadianTaco Newbie

CanadianTaco

Posted
Posted (edited)

Whats your view on Lulz Security and their recent activity?

I don't condone what they've done, maybe if they weren't posting all that sensitive information all over Pastebin and TPB I might see them as more of a white (ish) hat group. But their intentions are mainly malicious. And while we do need people to point out flaws in networks, this is not the way to go.

Edited by CanadianTaco
Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)

I pretty much agree with what Digip said, and on the other hand its sad to see great minds accomplishing nothing, by breaking the law. You know, the least they could is help out those companies with their security issues, rather than trying to steal or expose customer's confidential information.

Edited by Infiltrator
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

I'm full on with digip here, although there is one other thing.. they give hackers a horrible name... The fucking media already gives us enough shit and they're just feeding the fire...

You know I actually have a store keeper ask me if I was a member of anonymous! and then he started preaching about how they/"I" stole his credit card!

WTF>>.... I was talking about modding a ps2 wtf....

Thats the other side of the coin too. Now when a hack happens, they will all be like, hay, lulzsec or anonymous hacked so and so, or sony got hacked again, must be anonymous. Its not like hacking doesn't happen on a daily basis by other groups, just most of them don't go around bragging about it. The ones who leave their "this site hacked by - Insert Generic Group Name Here-" are all in it for the fame. They want the world to react. They are probably very skilled, but instead of applying it to do something with their life, they walk around like they are rebels and fighting the good cause. The only thing they are doing, this whole anti-sec movement, is keeping people who work in security hired. Its job security for those who work in the security field, and for that, they are helping the same people they want to go after. Blackhats hacking whitehats, putting them down, only gets themself arrested, and the whitehat a job.

Link to comment
Share on other sites
bogie5464 Newbie

bogie5464

Posted
Posted

It's going to happen. They were helping people. By doing what they did they made people more security conscious and now the internet will be safer for a few people. I think it's funny, and even if it was me I would think it was funny, because I would just become someone else and start over, not like I have much anyway. LulzSec made us think twice before opening emails.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

It's going to happen. They were helping people. By doing what they did they made people more security conscious and now the internet will be safer for a few people. I think it's funny, and even if it was me I would think it was funny, because I would just become someone else and start over, not like I have much anyway. LulzSec made us think twice before opening emails.

Made who think twice, because Sony and PBS are still getting whacked. The thing most security people know about attacks that companies don't understand, is that the same attacks keep getting used over and over again. Usually the low hanging fruit gets picked, but generally, its a flaw that has already been seen many times over. 0day happens, but a lot of the stuff we are seeing with the lulzsec attacks has later turned out to be old flaws that were not secured or patched against. Granted there was the HB Gary Social Engineered attack, but before they got that far, I believe part of the attack involved sql injection before the did the SE part, so at the end of the day, unless companies fix known flaws that off the shelf scanners can find, no one has learned anything from this.

How many businesses, aside from super big names, are paying attention to the lulzsec attacks? Do you think every company will suddenly be aware that they are at risk? To give you an example, Nickerson recently blogged about another pentesters post about a job they had to do for a client, but there were restrictions on the scope of the test. As Chris has said before, companies who limit the scope of the attacks used to test their systems, don't benefit the companies hiring people to do the tests. Attackers have no rule book, or limited scope to go after. All bets are off, but companies don't want to spend the money, and if some IT Manager can save his department money, and at the same time, come back with a clean bill of health from an Audit, he will probably get a bonus, pat on the back, and work his way up the ladder. Unless the person hiring the testers is truly concerned about security and has some knowledge about it to begin with, something most CEO's don't know or they would be doing security to begin with, then chances are they only care about being "compliant" and staying within budget. Companies don't hire in house security teams any more unless they are in the business of IT Security themselves. Everything is outsourced these days and most IT employees are now just hired analysts or contractors hired for a short time basis to do specific roll outs or upgrades, then they leave. The last place I worked at started doing this when we got bought out by another bank, and then they laid off department after department. The customers notices the difference in service, and they had all sorts of problems, but the company didn't care, because they went from being personable with their staff to not even knowing who sits which desk month to month.

So to say LulzSec made us think twice before opening emails, is pretty naive. This of us who are now cautious or were already cautious are like this because we take interest in these sorts of things, such as computers, security, etc. The rest of the world still lives in a bubble with no clue on the reality of what happens online. For the most part, we still have people that think you can launch nuclear missiles by whistling launch codes into the telephone (aka Kevin Mitnick myths). A few weeks from now when lulzsec popularity starts to fade, people will go back to the same daily doldrum of existence, and be none the wiser for them having been here. For all their ruckus to call themselves anti-sec, all that will happen is more people in the security community will get hired for jobs to protect networks, which will still probably end up being flawed, because corporations will still limit their scope to budget and complicity, while lulzsec goes after some other targets. And that is the sad part, where innocent people whos information is on these systems, gets strewn around in the meantime, and only those directly effected will care about what happens.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Dig.. just an FYI most of your posts are TL;DR

just sayin lol

"Tool long, didn't read", but thing is, thats the same attention span people have with what lulzsec is doing. Their impact is minimal to the mainstream, non tech people.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)

But their targets were not corporate executives, government officials or clueless bank customers. They were other hackers.

It makes sense attacking corporate executives or government officials but how would attacking another hacker work.

Edited by Infiltrator
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

It makes sense attacking corporate executives or government officials but how would attacking another hacker work.

Not all hacker groups believe in what lulzsec was doing, and apparently, even some of them from their own group has defected, but when you get involved with criminal hacking groups, one would think that unless they all grew up close friends, there really can't be any level of trust that extends further than their ethernet cable from the pc to the router. Lulzsec and anonymous started out as separate groups, then a little rivalry, then supposedly they had joined forces. I imagine there is still quite a bit of conflict and in-fighting among themselves, which probably existed long before they joined forces too.

Kevin Mitnick mentioned something on twitter, and he said(and I'm paraphrasing here, don't know the exact quote) "show me any hacker who has been arrested and wasn't snitched on my another person". Get to one or two people in a hackers group, and depending on the relationships these people had with one another, I'm sure someone will start singing like a canary. Look at the Bradley Manning case and Adrian Lamo. Lamo, having been in jail previously for hacking crimes, was obviously fearful for himself when Manning confided in him. Knowing that any involvement would send him back to prison if something came of it all, he basically folded all his cards and turned Manning over. I don't know that I would blame Lamo 100% for that either, given his past and record, is a very strange position to preach about honor and integrity until someone is put in that situation to begin with. Not to mention, that Lamo would have to be suspicious of anyone, who may or may not have been setting him up to begin with, his fears got the best of him and he ratted Manning out.

I think for one to learn about hacking and knowing how to do all these things, its fun, interesting, and has legit use when applied in the right places, but people who engage in criminal hacking have to know, you either act alone and never speak of these things, or you may as well consider yourself marked for arrest at some point. I wouldn't want to live that way, in fear of what may happen to me if I decided to hack a government site or any site/system for that matter.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

The end for anonymous and lulzsec.

http://www.thehackernews.com/2011/07/anonymous-lulzsec-personal-information.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...