Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Despite All the Attention, LulzSec Hackers Failed

Just as suddenly as it appeared, it’s gone. After 50 days of digital troublemaking that included apparent instances of theft, vandalism, exposure of confidential information and generally creating a public nuisance, the LulzSec hacking troupe has, so its members announced Saturday, disbanded.

That means the time has come to render some early judgments on its impact. As of this writing, LulzSec’s Twitter feed has been followed by 281,560 people — which, if nothing else, gives some indication of its ability to get its name known on Twitter. The attraction was its seeming ability to cause computer havoc and get away with it. “Sticking it to the man,” whether the man is Sony, the FBI, the CIA or British police, is always a potent draw for a certain kind of young person who wishes they had the guts and the wherewithal to do exactly the same thing.

LulzSec first revealed itself by posting the names, addresses and phone numbers of thousands of contestants on the Fox TV program “The X Factor.” From there the group’s attention flitted all over the technocultural map. After posting transaction logs from ATM machines in the U.K., it turned its attention to the Japanese electronics giant Sony, still reeling from a separate attack that forced it to shut down its PlayStation gaming network for the better part of a month. LulzSec found numerous other Sony-affiliated sites easy prey.

Then the group showed the first hint of a political agenda, attacking a PBS Web site, pilfering user names and passwords of its staff, and posting a fake news story claiming the late rapper Tupac Shakur to be alive. The reason? It didn’t care for a Frontline documentary on Bradley Manning, the Army private who stands accused of stealing the diplomatic cables central to the WikiLeaks case. It wasn’t long before theories started to float that the membership of LulzSec might overlap with that of Anonymous, the amorphous band of WikiLeaks-loving hackers.

As the list of LulzSec’s claimed victims grew longer, its methods of attack and the motivations seemed to vary. One day it was posting in public the email addresses and passwords of users of a porn site, the next it was defacing Web sites belonging to Internet security firms, and after that, launching denial-of-service attacks against the CIA.

None of these attacks were technically sophisticated. Though they seemed “unstoppable hackers,” the techniques the gang used to attack its targets have been well known for years, suggesting instead a surprising lack of technical sophistication.

Its weapons of choice were basically two: SQL injection attacks and distributed denial-of-service attacks. A SQL (pronouned “sequel”) injection attack basically amounts to taking advantage of well-documented weaknesses in some versions of the SQL database language used on many Web sites. Sending queries to those databases — usually done by adding commands into the URL field of a Web browser — can cause those databases to behave in unexpected ways. Sites that are vulnerable can often be found with simple Google searches, and the attacks themselves are easy to carry out.

Try this for a metaphor: Imagine a burglar who knows that a certain type of window makes a house easy to break into. Naturally, he’s going to look for houses with that particular type of window, and take what he can from the houses that happen to have it. Sites using versions of SQL that are sloppily installed or not up to date make easy targets.

The information that LulzSec seemed to loot from the various sites it attacked had sort of a random quality to it. Having found a vulnerable site, it took what it could. For example, its attack on the Web server of the U.S. Senate didn’t contain anything embarrassing, but rather a dry and lengthy list of files on those servers used to build the Web sites belonging to U.S. senators.

Later, when it turned its attention to the CIA, LulzSec used its second favorite weapon of choice, the distributed denial-of-service attack. In a DDOS, a target computer is made useless by overwhelming it with too many requests for information. I liken it to making so many crank calls to a single phone that the person using that phone can’t make or receive routine calls. It’s not technically sophisticated, either.

While the CIA seems an impressive target, it’s not as if LulzSec were interfering with any top secret operations. For the few hours that was “tango down,” the public at large was unable to read CIA press releases, and schoolchildren were shut out from reading about the dogs in the CIA’s K9 Corps. Critical CIA business it’s not.

The group crossed a line from nonsense to potentially causing harm with its attack on the Arizona Department of Public Safety. The personal information on eight officers, including their home addresses and the names of their spouses, was publicly posted with reckless disregard for the potential blowback. Police officers already risk enough to protect and serve their communities. The point of the attack appeared to have something do with a controversial state law that’s currently being challenged in the courts.

It was after this attack that the heat seemed to increase. Irritated at LulzSec’s ability to generate news coverage about itself, coupled with a perceived lack of “real” hacking skill, rival gangs on the digital streets seethed in rage and sought to “dox” — or post personal details about — LulzSec’s purported members. The latest and seemingly most complete disclosure appeared Sunday . It details the overlapping membership of LulzSec, Anonymous and a group called Gnosis, which gained attention last year for attacking Gawker. If the information contained in the document is correct, then it’s only a matter of time before law enforcement catches up with LulzSec.

Now that its campaign of digital mischief is over, LulzSec’s members will go their separate ways. Barring arrest and conviction, some will take on other identities and return to hacking. Others will try to put these last 50 days behind them but will always be looking over their shoulders.

What’s changed? Hopefully CIOs both in government and the private sector will focus new energy on securing their networks and Web sites from common vulnerabilities that should have been patched years ago.

But did LulzSec’s “message” get through? I’d have to say no. The Arizona hack seemed the deadly serious exception to the rule, in a series of incidents that for the most part amounted to annoyances for all concerned. In the span of 50 days, LulzSec proved it was neither original, nor technically adept, nor intellectually focused enough to be motivated by anything that approached a coherent ideology. The available evidence suggests the group’s members were a bunch of misguided young people with too much time on their hands and precious few constructive outlets for their considerable energy.

They may or may not ultimately face the legal music for their digital joyrides, but they’ve certainly inspired a rash of copycats who will seek to pick up the torch and launch LulzSec-style Web attacks of their own. These others, in seeking to emulate the original, will only find themselves on the wrong side of the law and pay the consequences for their actions. As legacies go, it’s nothing that anyone should be proud of.


Latest Video

View all videos »

Search »

The problem with the Billionaire Savior phase of the newspaper collapse has always been that billionaires don’t tend to like the kind of authority-questioning journalism that upsets the status quo.

— Ryan Chittum, writing in the Columbia Journalism Review about the promise of Pierre Omidyar’s new media venture with Glenn Greenwald