Feeds

2011 Reg roundup: Hacking hacks, spying apps and an end to Einstein?

Smartphones, privacy and a year of tears

  • alert
  • submit to reddit

Seven Steps to Software Security

Anonymous, Lulzsec and the attack of the hacktivists

Hacktivism - people launching attacks and stealing data for purportedly political ends - arguably hit a high-water mark in 2011. It was accompanied the rise of street protest movement Occupy, and allowed itself to become associated with Robin Hood-types disgruntled with bankers and the excesses of the capitalist system. Hackers often justified their own actions on anti-establishment grounds or as a quest for revenge against perceived in-justice.

It was the year when Anonymous, a reasonably long-running and loosely grouped bunch, was joined by Lulzsec, a smaller but even more anarchic group.

Their preferred weapon of choice, the Distributed Denial of Service (DDoS), was allied to hacking into insecure databases and mail spools before releasing their contents onto the net, to the embarrassment of victims.

anonymousCARTOON

Lulzsec burned bright but briefly in hacktivism

By the middle of the year, it seemed every day somebody somewhere was claiming another DDoS, web site re-direct, or data theft on behalf of Anonymous, Lulzsec or both.

Targets included entertainment industry firms for their stance against file sharing, newspaper sites of Rupert Murdoch's News International and his Fox TV station, NATO, banks, websites run by government of Egypt and Tunisia during the Arab Spring protests, FBI-affiliated security organisations and different law enforcement operations across the US out of revenge for the arrest of alleged members of Anonymous and Lulzsec.

Sites were knocked offline and gigabytes of personal data - email, credit card details, and social security numbers - lifted. Their actions made headlines, not just for who they attacked but also for the accompanying claims of robbed data. Hacktivists also liked to think they were untouchable: US security firm HB Gary Federal had threatened to reveal the identities of members of Anonymous at a security conference, Security B-Sides, but instead HB Gary Federal found itself hacked, its website defaced, Twitter feed hijack and its email spool released.

But just how apocalyptic was this? Many of the claims of data breaches couldn't be substantiated while some attacks seemed rather petty, such as Lulzsec posting a fake story on PBS about rapper Tupac Shakur being alive out of revenge for a PBS's documentary on Wikileaks' Julian Assange.

And when it came to dropping the big bomb, the hacktivists kept holding off. Anonymous held back on threats to release caches of classified NATO documents while Lulzsec didn't follow through on a threat to release News International emails that it claimed to have acquired during the redirection attack on The Sun's website.

Curiously, however, arguably the biggest hack story of the year - the breach and take down of Sony's Playstation Network, a vital artery that connects millions of Playstation gamers - was a coup that Anonymous couldn't walk away from fast enough.

The Sony Playstation Network hack saw the details of 77 million gamers compromised and the network offline for 23 days. Just prior the attack in April, Anonymous had posted a self-important and sanctimonious message warning Sony it would "experience the wrath of Anonymous" for its legal action against PlayStation 3 hacker George Hotz. Yet, Anonymous denied any role in the crippling PlayStation Network hack. Was it Anonymous all along: some member of the group whose actions those in the centre didn't agree with, or was it somebody - as yet - unknown?

The incident pointed to the real problem with Anonymous: it's not a functioning, centralised operation and is instead a chaotic affiliation of splinter cells and individuals with a generalised sense of identity. It is more a group when perceived from the outside.

By summer, the hacktivists also seemed to be on the back foot with arrests in full swing: 21 people cuffed in the US and seven in the UK for their alleged role in the December 2010 DDoS on Paypal, Amazon, MasterCard, Bank of America and Visa over their decision to stop handling the account of Wikileaks.

A pivotal moment came on June 22 when alleged Lulzsec member Ryan Cleary, aged 19, was arrested and charged with five computer crime offences, including allegations of building a botnet and unleashing distributed DDoS attacks, including a cyber-attack on Britain's Serious Organized Crime Agency (Soca).

Five days later, Lulzsec told the world on Twitter it was retiring - barely a month after it had established its presence on Twitter. The group told the AP it wasn't running because it was afraid of law enforcement, just: "The press are getting bored of us, and we're getting bored of us."

Was this the end? Anonymous, was still venting as late as October, stealing data and holding it to ransom. The group published a dossier of personal information on the head of Citigroup in retaliation for the arrest of protesters at an Occupy Wall Street demo.

Like the Occupy movement, however, a sustained focus was missing; the attacks seemed opportunistic - relying on the security oversights of their victims and the rather crude hammer of a DDoS to break badly protected systems rather than using some advanced form of hacking. The ideals, such as they were, were random and there was more talk than execution. A planned, idealistic campaign to expose members and associates of the notorious Los Zetas Mexican drug cartel was dropped in November amid some confusion while a rather questionable operation to use stolen credit card details to donate to charities, supposedly defrauding banks in the process, failed to pick up momentum.

2012 will tell whether the attacks resume and become more advanced, or whether the actions of law enforcement have given hacktivists pause for thought. Already, the victims are tooling up. Stung by the attacks, Sony has picked former US Department of Homeland Security exec Philip R Reitinger as senior vice-president and chief information security officer to oversee information security, privacy and internet safety across the entire company. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
GoTenna: How does this 'magic' work?
An ideal product if you believe the Earth is flat
Telstra to KILL 2G network by end of 2016
GSM now stands for Grave-Seeking-Mobile network
Seeking LTE expert to insert small cells into BT customers' places
Is this the first step to a FON-a-like 4G network?
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
BlackBerry: Toss the server, mate... BES is in the CLOUD now
BlackBerry Enterprise Services takes aim at SMEs - but there's a catch
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.