Feeds

2011 Reg roundup: Hacking hacks, spying apps and an end to Einstein?

Smartphones, privacy and a year of tears

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Anonymous, Lulzsec and the attack of the hacktivists

Hacktivism - people launching attacks and stealing data for purportedly political ends - arguably hit a high-water mark in 2011. It was accompanied the rise of street protest movement Occupy, and allowed itself to become associated with Robin Hood-types disgruntled with bankers and the excesses of the capitalist system. Hackers often justified their own actions on anti-establishment grounds or as a quest for revenge against perceived in-justice.

It was the year when Anonymous, a reasonably long-running and loosely grouped bunch, was joined by Lulzsec, a smaller but even more anarchic group.

Their preferred weapon of choice, the Distributed Denial of Service (DDoS), was allied to hacking into insecure databases and mail spools before releasing their contents onto the net, to the embarrassment of victims.

anonymousCARTOON

Lulzsec burned bright but briefly in hacktivism

By the middle of the year, it seemed every day somebody somewhere was claiming another DDoS, web site re-direct, or data theft on behalf of Anonymous, Lulzsec or both.

Targets included entertainment industry firms for their stance against file sharing, newspaper sites of Rupert Murdoch's News International and his Fox TV station, NATO, banks, websites run by government of Egypt and Tunisia during the Arab Spring protests, FBI-affiliated security organisations and different law enforcement operations across the US out of revenge for the arrest of alleged members of Anonymous and Lulzsec.

Sites were knocked offline and gigabytes of personal data - email, credit card details, and social security numbers - lifted. Their actions made headlines, not just for who they attacked but also for the accompanying claims of robbed data. Hacktivists also liked to think they were untouchable: US security firm HB Gary Federal had threatened to reveal the identities of members of Anonymous at a security conference, Security B-Sides, but instead HB Gary Federal found itself hacked, its website defaced, Twitter feed hijack and its email spool released.

But just how apocalyptic was this? Many of the claims of data breaches couldn't be substantiated while some attacks seemed rather petty, such as Lulzsec posting a fake story on PBS about rapper Tupac Shakur being alive out of revenge for a PBS's documentary on Wikileaks' Julian Assange.

And when it came to dropping the big bomb, the hacktivists kept holding off. Anonymous held back on threats to release caches of classified NATO documents while Lulzsec didn't follow through on a threat to release News International emails that it claimed to have acquired during the redirection attack on The Sun's website.

Curiously, however, arguably the biggest hack story of the year - the breach and take down of Sony's Playstation Network, a vital artery that connects millions of Playstation gamers - was a coup that Anonymous couldn't walk away from fast enough.

The Sony Playstation Network hack saw the details of 77 million gamers compromised and the network offline for 23 days. Just prior the attack in April, Anonymous had posted a self-important and sanctimonious message warning Sony it would "experience the wrath of Anonymous" for its legal action against PlayStation 3 hacker George Hotz. Yet, Anonymous denied any role in the crippling PlayStation Network hack. Was it Anonymous all along: some member of the group whose actions those in the centre didn't agree with, or was it somebody - as yet - unknown?

The incident pointed to the real problem with Anonymous: it's not a functioning, centralised operation and is instead a chaotic affiliation of splinter cells and individuals with a generalised sense of identity. It is more a group when perceived from the outside.

By summer, the hacktivists also seemed to be on the back foot with arrests in full swing: 21 people cuffed in the US and seven in the UK for their alleged role in the December 2010 DDoS on Paypal, Amazon, MasterCard, Bank of America and Visa over their decision to stop handling the account of Wikileaks.

A pivotal moment came on June 22 when alleged Lulzsec member Ryan Cleary, aged 19, was arrested and charged with five computer crime offences, including allegations of building a botnet and unleashing distributed DDoS attacks, including a cyber-attack on Britain's Serious Organized Crime Agency (Soca).

Five days later, Lulzsec told the world on Twitter it was retiring - barely a month after it had established its presence on Twitter. The group told the AP it wasn't running because it was afraid of law enforcement, just: "The press are getting bored of us, and we're getting bored of us."

Was this the end? Anonymous, was still venting as late as October, stealing data and holding it to ransom. The group published a dossier of personal information on the head of Citigroup in retaliation for the arrest of protesters at an Occupy Wall Street demo.

Like the Occupy movement, however, a sustained focus was missing; the attacks seemed opportunistic - relying on the security oversights of their victims and the rather crude hammer of a DDoS to break badly protected systems rather than using some advanced form of hacking. The ideals, such as they were, were random and there was more talk than execution. A planned, idealistic campaign to expose members and associates of the notorious Los Zetas Mexican drug cartel was dropped in November amid some confusion while a rather questionable operation to use stolen credit card details to donate to charities, supposedly defrauding banks in the process, failed to pick up momentum.

2012 will tell whether the attacks resume and become more advanced, or whether the actions of law enforcement have given hacktivists pause for thought. Already, the victims are tooling up. Stung by the attacks, Sony has picked former US Department of Homeland Security exec Philip R Reitinger as senior vice-president and chief information security officer to oversee information security, privacy and internet safety across the entire company. ®

Intelligent flash storage arrays

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.