Like the mutant offspring of Captain Jack Sparrow and French anarchist Pierre Proudhon — famous for his ‘property is theft’ claim — activist hacking group LulzSec surfed the Web spreading debonair charm, chaos and reckless acts of ‘hacktivism’ in equal measure.
During 50 perplexing days, government agencies and corporations fell victim to very visible and embarrassing attacks. Over the weeks two sides of LulzSec emerged: One agitating for social justice and fighting ‘the establishment’, and the other ego-driven and seeking to make a name for itself.
There were the hacks which were at face-value purely for the bragging rights: The repeated breach of Sony’s security and then the hacking of Nintendo. Then there was the attack on that classic authority figure: The CIA followed by the hacking of Arizona Police in the name of opposition to that US state’s laws and stance on illegal immigrants.
Following a self-imposed hiatus the group re-emerged with a vengeance, attacking News International’s Sun tabloid website and more recently suggestions have emerged of the hacking of some 10,000 PayPal accounts in an apparent revenge attack for that company’s decision to stop payments to WikiLeaks.
But, of course, LulzSec is not alone. More than any other hacktivist group in recent memory Anonymous has also made a name for itself with some very high profile hacks – in particular attacking Visa, MasterCard, PayPal and security firm HBGary Federal in defence of whistleblower site WikiLeaks.
More recently the group has released a ‘restricted’ document from the North Atlantic Treaty Organization (NATO) and documents from government security contractor ManTech.
While government and industry figures all agree that hacktivism — no matter the colour or stripe — poses a real security threat to organisations, opinion is divided on the motivations, and hence seriousness of groups such as Anonymous and LulzSec.
Know your enemy
Given the secrecy of hacktivist groups such as Anonymous and LulzSec, few would venture claims to knowing the true motivations behind the current rash of attacks; however, two schools of thought have emerged on who these groups really are. The first argues that these groups are simply teenagers doing what teenagers do: Rebel. The other school argues that in line with the digital saturation of the current generation of teens and twenty-somethings these acts of hacking are simply the modern day equivalent of street protests.
Arguing the case for the ‘teenagers-will-be-teenagers’ school, outgoing Internet Industry Association (IIA) chief, Peter Coroneos, says the attacks of LulzSec in particular have the hallmarks of ‘script kiddies’ — talented hackers in their early to mid teens — looking to assert their skills and abilities.
“Looking at the statements LulzSec made in the few weeks [before it disbanded], I was actually reminded of the mid ‘90s. It was almost a return to the ‘bragging rights’ motivation,” he says.
“The last couple of years we have been concerned about organised crime and cyber terrorism and all that stuff. But this has almost been a flashback to the era of ‘we’re doing it because we can’.”
Coroneos argues that as targets have included government agencies as well and corporations, it is hard to see a common thread — other than these being part of “the establishment” — and it is this which people find disconcerting.
“Because there is no predictability — perhaps that’s a part of their point — there is the idea that they can hit anyone at any time for whatever reason,” he says. “That seems to be what they are actually trying to show: that they are not restricted to one ideology or cause.”
IBRS advisor and security expert, James Turner, is more forthright, arguing LulzSec’s work especially, amounts to “stupid, immature vandalism”.
“It’s dangerous and destructive. What were they protesting? They attacked Sony. What legitimate concerns could they have against Sony?” he says. “It is a really interesting ethical scenario: is it moral to make a protest about something you are unhappy about and break the law at the same time? There will be a time and a place for that but I would assert that this wasn’t it.
“Anonymous is interesting as they were doing some covert things in the background but also some public things proclaiming how righteous they were. It is hard to take a group seriously when they are being that indignant while they act like teenagers breaking windows in an abandoned warehouse.”
Royal Melbourne Institute of Technology (RMIT) School of Electrical and Computer engineering’s Dr Mark Gregory, says that while LulzSec appears to teenage hackers attempting to prove how good they are many of the attacks, particularly by Anonymous, appear to be motivated by the need to protest and pursue social justice ends. “It is the typical 20-something we-have-to-have-something-to-protest-about generational thing. Every generation likes to have something big to protest about – Vietnam, globalisation, Bob Geldof’s fight to end poverty,” he says. “This generation is tapped right into the network. For some of them Facebook isn’t loud enough a protest, so they fall into hacking directly.”
While some may view LulzSec and Anonymous through relatively sanguine eyes, one sector of society, law enforcement, has far from welcomed the groups’ activities. Australian Federal Police (AFP) High Tech Crime Operations Acting National Manager, Grant Edwards, says the agency accepts that online threats will continue to evolve and increase —especially via organised crime — but it takes a pretty dim view of hacktivism.
"Hacktivism may be similar to other forms of legitimate demonstration or protest; however it can have significant implications,” he says. “The AFP and other Australian law enforcement authorities will not tolerate the attempts of hackers to damage or destroy Australian individuals, companies and national infrastructure resources.
“AFP High Tech Crime Operations will continue to identify, investigate and prosecute individuals or groups for offences against Australian critical infrastructure and information systems.”
IBRS’ Turner says, given AFP’s track record, the stated intention to crack down on hacktivism is no empty threat.
“I’m a huge fan of the AFP and the High Tech Crime Centre,” he says. “Instead of pouring money into online censorship and the filter we should be tripling the money for the AFP.
“These guys have a proven track record of identifying and hunting down paedophiles, terrorists and people of that ilk. We can scratch around in the mud pretending that we’re doing something effective [about security] but ultimately if we gave more money to the AFP then we would be more effective.”
The Department of the Attorney-General, responsible for overseeing Australia’s Computer Emergency Response Team (CERT), also recognises that “issue motivated groups” as it refers to them are part of a wider cyber security threat to Australia .
Like the AFP, it too is taking a hard line on hacktivist groups — part of a threat list which includes individuals, organised criminal syndicates, and “state-based adversaries”.
“The Government is aware of recent public debate about whether these actions are a legitimate form of protest activity. However, the Government does not consider ‘hacktivisim’ or other similar activity that disrupts the confidentiality, integrity or availability of electronic information to be a legitimate form of protest,” a department spokesperson said.
“Individuals who become involved in these types of cyber activities need to be aware that they may be committing a criminal offence."
Tomorrow, in part two: Vendors weight in, and the inevitable crackdown on Hacktivism