Top 10 Influential 2011: The rise and fall of LulzSec

Computerworld Australia counts down the 10 biggest ICT stories of 2011

Hacktivists with a virtual axe to grind got their fair share of the spotlight in 2011, most notably a group called LulzSec that managed to cause problems for organisations ranging from the CIA to Sony, thereby earning them a place in the top 10 influential.

While the group, whose name is a derivative of laugh out loud (LOL), claimed they were hacking for the `lulz’ some of the attacks were politically motivated. For example, LulzSec first came to attention on 30 May when, after been less than impressed by a Frontline documentary on whistle blower site WikiLeaks called “WikiSecrets”, decided to hack the Public Broadcasting Service (PBS).

The group broke into the PBS servers and defaced its blog with an `exclusive’ that murdered hip hop stars Tupac Shakur and Notorious B.I.G. were alive and living in a small town in New Zealand.

They struck a few days later on 2 June with a security breach of several Sony Pictures websites. They claimed to have accessed unencrypted personal information on more than one million people and compromised administrator passwords, including 75,000 music codes, and 3.5 million music coupons.

Unlike most hacker groups, LulzSec was not shy about taking responsibility for its attacks, tweeting details and issuing press releases.

“SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now," LulzSec said at the time. "From a single injection, we accessed EVERYTHING."

Gaming companies weren’t safe either as Nintendo soon discovered on 6 June when the group struck its US-based server. However, a spokesperson said no consumer information was held on the server and the hacker group did not get away with any sensitive information.

By June, the group was coming in for criticism from security experts such as Sophos’ Asia Pacific head of technology, Paul Ducklin, who said the group needed to “grow up and stop acting like kids.”

He added that the hacking group had no "special skills" required for their online attacks, with their hacking tools freely available for download on the internet.

However, some people in the information security industry took a different view and argued that LulzSec was doing companies a favour by exposing their inadequate network and server security.

One anonymous source told PC World US that companies like Sony may come out of the hacks with the strongest information security program in their industry.

“This is not dissimilar to the dynamic you might have with a brutal personal trainer you absolutely hate, but whose barbaric methods are the impetus behind your transformation into a superior athlete,” the security expert said.

Australia was not immune to the activities of LulzSec either. In June, a leaked list of 62,000 email addresses and passwords, including some harvested from Australian organisations such as AusAid, Victorian Government departments, local councils in Victoria and New South Wales, the Australian National University, the University of New South Wales and the University of Queensland were posted online.

Perhaps sensing that it couldn’t keep hacking forever without being caught, the group announced on 26 June that it was disbanding and “sailing into the distance”. However, it didn’t take long before the group was back in action on 18 July hacking the News of the World site and posting a fake story that owner Rupert Murdoch was dead, after details emerged of the phone hacking scandal carried out by some News of the World journalists.

For a while LulzSec seemed to be one step ahead of the authorities but several people associated with the group were eventually identified and arrested.

Such was the case with Jake Davis, an 18-year-old teenager from the UK, who used the online alias "Topiary" and played a spokesperson role within LulzSec and Anonymous. The Federal Bureau of Investigation (FBI) also arrested a 23-year-old man from Tempe, Arizona, named Cody Kretsinger who is believed to be a former LulzSec member known as "recursion."

By October, the only member of the group who hadn’t joined Anonymous or been arrested seemed to be its alleged leader, a man who went by the online name `Sabu’.

During a Reddit online Q&A session, Sabu said that he had lost too many friends but would probably never talk to them again as some former members provided information to law enforcement authorities. "The ironic twist will be that my own friends will take me down and not these idiots who hide behind the patriot veil,” he said.

So while LulzSec might be gone for now, their well-publicised activities and the threat of more hactivisit groups emerging, has meant companies are still beefing up their security systems and hiring chief security officers.

So, do you think the rise and fall of LulzSec ranks as one of the biggest stories of the year? Comment below on how high you’d rank the story, and what else should be included in the Top 10

Join the Computerworld newsletter!

Error: Please check your email address.

Tags AnonymoussophoshackersPaul DucklinLulzsec

More about etworkFBIFederal Bureau of InvestigationING AustraliaNintendo AustraliaSonySophosUniversity of New South WalesUniversity of New South WalesUniversity of QueenslandUniversity of QueenslandWoolworths

CIO
ARN
Techworld
CMO