Teachout Security Solutions


LulzSec hackers–Just Having a Laugh?

LulzSec defaced the Web site of a consulting firm that offers a reward for hacking the site and posted this image. (Credit: LulzSec)

Despite the official looking Justice and Homeland Security department symbols and notice saying “this domain name has been seized by ICE (Immigrations and Customs Enforcement) – Homeland Security Investigations,” the page was a hoax. A search of Whois showed that the domain “www.lulzsecurity.org” was registered early today. In addition, the site the hacking group has been using to promote its activities–www.lulzsecurity.com–remained up.

“ICE has not taken any enforcement action against this site,” a Department of Homeland Security spokesman said in an e-mail to CNET. “The site owner/administration redirected www.lulzsecurity.org to our name server, where the seizure banner is hosted.”

It’s unclear who was behind the hoax–LulzSec members themselves or supporters trying to fool people, or others wanting to make the group look bad. Either way, the prank represents the spirit of lulz, which is a derivation of the acronym for Laugh Out Loud (LOL). The group’s actions are seen by some security experts as a revival of old-school hacking that was motivated out of a sense of fun rather than profit.

LulzSec’s mascot is a cartoon of a monacled man in top hat and tie with a handlebar mustache holding a glass of wine, evoking a character of leisure and decadence. The group has an ASCII cartoon graphic on its site of a boat and the site plays an audio clip of the theme from “The Love Boat” TV show from the 1970s and 1980s. A link to “mute” the song actually turns the volume up instead.

“We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cybercommunity is a burden on what matters: fun,” the introduction on their site says. “Considering fun is now restricted to Friday, where we look forward to the weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calendar year.”

LulzSec gets a kick out of posting fake “news.” Last week, LulzSec hacked PBS.org, leaked passwords, and pasted a spoof news article on the site claiming that deceased rappers Tupac Shakur and Biggie Smalls were alive and residing in New Zealand. LulzSec said they were punishing PBS for a Frontline program on WikiLeaks that the group claimed was biased against the whistleblower site. (They also were initially reported to have hacked the Web site of the Conservative Party of Canada and posted a fake news story on the site, but it turned out another group was responsible.)

And earlier today, LulzSec released an e-mail it said it had sent to the National Health Services in the UK warning them about a security hole in their network, but did not post the information publicly.

“We’re a somewhat known band of pirate-ninjas,” the e-mail said. “Some time ago, we were traversing the Internets for signs of enemy fleets. While you aren’t considered an enemy–your work is of course brilliant–we did stumble upon several of your admin passwords, which are as follows:…” The data that followed was blacked out and the e-mail said: “We mean you no harm and only want to help you fix your tech issues.”

A Department of Health spokesperson told the BBC that no patient data was compromised and the issue affected only a “small number” of Web site administrators.

Heroes to Some

The NHS action elicited praise from many LulzSec followers on Twitter, who already admire the group for its attacks that highlight poor security on sites of big companies, like Sony, Nintendo, and FBI affiliate Infragard Atlanta. “I’m officially in love with @LulzSec,” wrote one person. Others are calling them heroes.

The group has 120,000 followers on Twitter, more than double the amount of Sony Music Global. And it claims to have received more than $7,000 in donations, most of it from one generous supporter, via the BitCoins virtual currency that is designed to be untraceable (and has attracted the attention of Congress.)

LulzSec first cropped up in early May, with a hack on Fox’s X Factor site that exposed contestants’ personal information and other internal Fox data. Then, LulzSec joined other hackers in targeting Sony with a vengeance. The group says it was responsible for attacks on Sony Music Japan, Sony Pictures, Sony BMG Belgium and Netherlands, Sony Computer Entertainment Developer Network (allegedly stole source code) and Sony BMG, according to a timeline on Attrition.org.

The current attacks on Sony started after the company took a PlayStation 3 hacker to court and was punished with a denial-of-service attack by the Anonymous group. Shortly thereafter there was a breach on Sony’s PlayStation Network and Sony Online Entertainment sites that exposed millions of records containing e-mail addresses and other information of customers. No one has claimed credit for those breaches. So far, there have been about 20 attacks on Sony sites in recent months.

LulzSec claims to be motivated by the sheer fun of causing trouble. But the data it exposes could be used to target the people whose information has been revealed with phishing, identity fraud, and other types of attacks.

The group also seems to delight in embarrassing security firms. The group defaced the home page of Black & Berg Cybersecurity Consulting, which offers $10,000 to whoever can modify the site’s home page. (LulzSec obviously declined the reward.) Another hacking victim from the attack on FBI partner Infragard, the CEO of Unveillance, claims the hackers tried to extort money and data from him in exchange for not going public with his personal information. LulzSec has denied that claim, despite the evidence of it in chat logs.

“They are causing some harm, of course, but they probably have the ability to create more harm,” said Kevin Mitnick, who spent time in jail for hacking and now runs his own security consulting business.

“They’re a bit out of control because they’re hitting FBI partners,” he said. “That takes a lot of balls. The group must feel pretty invincible.”

Call 1-800-747-0755