Comedic Mayhem: LulzSec's Pranks Highlight Cyber Security Flaws


A new group of hacking pranksters responsible for resurrecting Tupac, bringing Sony to its knees and breaking into the CIA's public Web site has drawn an unlikely set of admirers: the cyber security industry.

Through the taunting of some of the worlds biggest companies and by doling out corporate headaches by the hundreds, the mischievous group known as LulzSec has highlighted major security flaws that need to be addressed.

Named after a variant of LOL, which is Internet slang for "laugh out loud," the loosely organized group of hackers, also known as Lulz Security or the Lulz Boat, claims it merely provides high- quality entertainment at your expense.

Yet the group that has so far claimed responsibility for attacks on Sony (NYSE:SNE), Nintendo, PBS, FBI affiliate Infragard, security company Unveillance and even the U.S. Senate and CIA has proven to be an embarrassing adversary of opponents with penetrable security systems.

LulzSec seems to be thoroughly entertained by the mayhem it causes. The group is now even operating at least two switchboards and taking calls from fans.

They certainly seem to have a sense of humor, albeit a bit twisted, said Jason Glassberg, co-founder of Casaba, an Internet-security product and services company.

Underscoring the group's growing popularity, LulzSec has seen its Twitter fan base skyrocket since first entering to spotlight in May. Its followers have more than doubled to 180,000 this week alone.

Band of Pirate-Ninjas

Some say the group is just devouring media attention, but LulzSec claims its primary goal is to spread what it calls the lulz, which seems to be an effort to identify and expose security vulnerabilities of certain institutions, all while having a little fun and entertaining its supporters.

While there isnt too much information available about the group, it seems to be more of a grey hat protest organization filled with jokesters than a criminal black hat enterprise based on profit, Glassberg said.

I can only imagine their intentions are to show and demonstrate how poor the security actually is in some of these big companies, he said. People trust all their information on these large companies Web sites to be safe and its just not.

Even though LulzSec publicly mocks some flaws through its satirically written press releases and Tweets, the group has also shown a sensitive side. The Lulz Boat politely encouraged the U.K.s National Health Service last week to patch its security holes, saying in an email to the NHS that LulzSec means no harm and only want to help you fix your tech issues.

In that email, LulzSec called itself a band of pirate-ninjas and said it stumbled upon several administrative passwords some time ago as it was traversing the Internets for signs of enemy fleets.

While the NHS was quick to defend itself, LulzSec said on Twitter that it never planned to exploit those passwords. Shortly after, the NHS reportedly issued guidance to its local branches about how to protect and secure digital assets.

Similarly, after leaking information it stole about video game publisher Bethesda Softworks, LulzSec asked the company via Twitter to please fix your junk. It also encouraged video-game maker Sega to contact LulzSec for help destroying the hackers that attacked its system.

Some believe the FBI is on its tracks, but Lulz taunted officials last week by claiming it has yet to lose a member. Days later, LulzSec hacked the U.S. Senate Web site and claimed it doesnt like the U.S. government very much, before lightening the mood by saying its attack was just for kicks.

The U.S. Senate was quick to downplay the threat when LulzSec claimed responsibility. But the break-in still caused the government embarrassment and led it to review all of its Web sites.

Silent Applauds for Lulz

Whether LulzSec is in it for publicity, money, heroism or just giggles, the groups ability to so seamlessly snag information from large companies or those organizations closest to national secrets only brightens the spotlight already shining on cyber threats.

LulzSec is running around pummeling some of the world's most powerful organizations into the ground... for laughs! For lulz! For (kicks) and giggles, Patrick Gray said in his popular cyber blog Risky Biz. Surely that tells you what you need to know about computer security: there isn't any.

In addition to LulzSecs hacks, security shortfalls have been the culprit behind attacks this year against Sony, government contractor Lockheed Martin (NYSE:LMT), EMC (NYSE:EMC) and Google (NASDAQ:GOOG), among others.

The hackings should be more than just an embarrassment for the victims and a source of comedy for others. Security experts say they should also serve as an important warning that many institutions security walls aren't nearly as thick as they think.

You marvel at some of the ridiculous and almost simple hacking tricks they are able to pull to get these really large companies, Glassberg said, noting LulzSec has been able to access sensitive information using only a basic SQL injection attack.

A lot of people are secretly rooting for these guys in the sense they are exposing just how weak some of these securities are, Glassberg said. Its a problem, and its only by actions such as these by the Lulz guys that it comes to light.

As the boundaries of the Internet continue to rapidly expand, and vulnerabilities become even greater, hackers discover more opportunities to exploit information from a number of different vantage points, SecureInfo CEO Christopher Fountain said.

There are guidelines to manage and mitigate risk, but there is no way to eliminate it, he said. Companies need to think about security from the very beginning when they are still designing their systems and use ethical "white hat" hackers, who simulate an attack, to patch any remaining vulnerabilities. From there, they have to keep up with the latest version of security software.

Dont underestimate the need for security because itll cost you, Glassberg said, doubly if you are processing payments or doing anything with personal identifiable information.