Feeds

2011 Reg roundup: Hacking hacks, spying apps and an end to Einstein?

Smartphones, privacy and a year of tears

  • alert
  • submit to reddit

The essential guide to IT transformation

Anonymous, Lulzsec and the attack of the hacktivists

Hacktivism - people launching attacks and stealing data for purportedly political ends - arguably hit a high-water mark in 2011. It was accompanied the rise of street protest movement Occupy, and allowed itself to become associated with Robin Hood-types disgruntled with bankers and the excesses of the capitalist system. Hackers often justified their own actions on anti-establishment grounds or as a quest for revenge against perceived in-justice.

It was the year when Anonymous, a reasonably long-running and loosely grouped bunch, was joined by Lulzsec, a smaller but even more anarchic group.

Their preferred weapon of choice, the Distributed Denial of Service (DDoS), was allied to hacking into insecure databases and mail spools before releasing their contents onto the net, to the embarrassment of victims.

anonymousCARTOON

Lulzsec burned bright but briefly in hacktivism

By the middle of the year, it seemed every day somebody somewhere was claiming another DDoS, web site re-direct, or data theft on behalf of Anonymous, Lulzsec or both.

Targets included entertainment industry firms for their stance against file sharing, newspaper sites of Rupert Murdoch's News International and his Fox TV station, NATO, banks, websites run by government of Egypt and Tunisia during the Arab Spring protests, FBI-affiliated security organisations and different law enforcement operations across the US out of revenge for the arrest of alleged members of Anonymous and Lulzsec.

Sites were knocked offline and gigabytes of personal data - email, credit card details, and social security numbers - lifted. Their actions made headlines, not just for who they attacked but also for the accompanying claims of robbed data. Hacktivists also liked to think they were untouchable: US security firm HB Gary Federal had threatened to reveal the identities of members of Anonymous at a security conference, Security B-Sides, but instead HB Gary Federal found itself hacked, its website defaced, Twitter feed hijack and its email spool released.

But just how apocalyptic was this? Many of the claims of data breaches couldn't be substantiated while some attacks seemed rather petty, such as Lulzsec posting a fake story on PBS about rapper Tupac Shakur being alive out of revenge for a PBS's documentary on Wikileaks' Julian Assange.

And when it came to dropping the big bomb, the hacktivists kept holding off. Anonymous held back on threats to release caches of classified NATO documents while Lulzsec didn't follow through on a threat to release News International emails that it claimed to have acquired during the redirection attack on The Sun's website.

Curiously, however, arguably the biggest hack story of the year - the breach and take down of Sony's Playstation Network, a vital artery that connects millions of Playstation gamers - was a coup that Anonymous couldn't walk away from fast enough.

The Sony Playstation Network hack saw the details of 77 million gamers compromised and the network offline for 23 days. Just prior the attack in April, Anonymous had posted a self-important and sanctimonious message warning Sony it would "experience the wrath of Anonymous" for its legal action against PlayStation 3 hacker George Hotz. Yet, Anonymous denied any role in the crippling PlayStation Network hack. Was it Anonymous all along: some member of the group whose actions those in the centre didn't agree with, or was it somebody - as yet - unknown?

The incident pointed to the real problem with Anonymous: it's not a functioning, centralised operation and is instead a chaotic affiliation of splinter cells and individuals with a generalised sense of identity. It is more a group when perceived from the outside.

By summer, the hacktivists also seemed to be on the back foot with arrests in full swing: 21 people cuffed in the US and seven in the UK for their alleged role in the December 2010 DDoS on Paypal, Amazon, MasterCard, Bank of America and Visa over their decision to stop handling the account of Wikileaks.

A pivotal moment came on June 22 when alleged Lulzsec member Ryan Cleary, aged 19, was arrested and charged with five computer crime offences, including allegations of building a botnet and unleashing distributed DDoS attacks, including a cyber-attack on Britain's Serious Organized Crime Agency (Soca).

Five days later, Lulzsec told the world on Twitter it was retiring - barely a month after it had established its presence on Twitter. The group told the AP it wasn't running because it was afraid of law enforcement, just: "The press are getting bored of us, and we're getting bored of us."

Was this the end? Anonymous, was still venting as late as October, stealing data and holding it to ransom. The group published a dossier of personal information on the head of Citigroup in retaliation for the arrest of protesters at an Occupy Wall Street demo.

Like the Occupy movement, however, a sustained focus was missing; the attacks seemed opportunistic - relying on the security oversights of their victims and the rather crude hammer of a DDoS to break badly protected systems rather than using some advanced form of hacking. The ideals, such as they were, were random and there was more talk than execution. A planned, idealistic campaign to expose members and associates of the notorious Los Zetas Mexican drug cartel was dropped in November amid some confusion while a rather questionable operation to use stolen credit card details to donate to charities, supposedly defrauding banks in the process, failed to pick up momentum.

2012 will tell whether the attacks resume and become more advanced, or whether the actions of law enforcement have given hacktivists pause for thought. Already, the victims are tooling up. Stung by the attacks, Sony has picked former US Department of Homeland Security exec Philip R Reitinger as senior vice-president and chief information security officer to oversee information security, privacy and internet safety across the entire company. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE fails to apologise for HUGE T-Mobile outage that hit Brits on Friday
Customer: 'Please change your name to occasionally somewhere'
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.