Sign up now to get free exclusive access to reports, research and invitation only events.
The curtain has fallen on the 50 day performance by hacker group LulzSec. Its campaign of mayhem and destruction, peppered with witty commentary captivated the world.
#1: Simon Cowell’s X-Factor
-On May 2, just before the 2011 X-Factor season kicked off, Lulzsec hacked the show’s MySQL database and released 73,000 contestants’ email addresses, dates of birth, phone numbers and other personal details. It would not be the last attack on Fox.
Date: 15 May 2011
-Three days later, LulzSec released over 400 Fox staff emails and passwords, and its sales database affecting major clients and advertising agencies.
As if it wasn’t already crystal clear, LulzSec added: “Dear Fox.com, We don't like you very much.”
#3: UK ATM-owner data
Date: 15 May 2011
-LulzSec releases a database containing the names of thousands of ATMs owners across the UK. The information was relatively harmless, but definitely not meant for public access
#4: Sony Music Japan
-An already thoroughly clobbered Sony faces its eighth data breach. Lulz employed an SQL injection to breach its systems this time.
“Stupid Sony, so very stupid,” the group wrote.
#5: Tupac’s brief antipodean revival
Date: 29 May
On 29 May, the website of America’s Public Broadcasting Service (PBS) reports that murdered rapper Tupac is actually alive and well in New Zealand. Needless to say, it was the work of LulzSec.
- LulzSec coins the term [[xref:https://twitter.com/#!/LulzSec/status/76333978747015168|LulzSec coins the term #Sownage]]
and announces that a new game begins, which basically involves stabbing Sony as many times as possible.
“In only 23 days we hacked Fox, PBS, Sony, and got our website fully up and running. Taking a fine rest for the next 3 hours. #Sownage”
June 2 - Later that day it claims victory in its #Sownage game. Exactly a month after Sony’s top Japanese executives took an extended public bow over the PlayStation Network breach which claimed 100 million user details, LulzSec hits it again. It claimed to have snatched one million unencrypted PSN passwords and user names.
"A month after 1,000,000+ unencrypted users, unencrypted admin accounts, government and military passwords saved in plaintext". [[xref:https://twitter.com/#!/LulzSec/status/76381992878477312|#PSNcompromised]]. @Sony
#7 After taking down so many others’ websites, Lulzec protects its own.
- LulzSec beefs up defences against DDoS attacks for its recently launched website, which it expected infuriated gamers to target. The group hooked its website into CloudFlare’s content distribution network and the company wins many fans for its work maintaining the Lulz site.
“We love [[xref:https://twitter.com/#!/LulzSec/status/76542537078284288|CloudFlare]], Mr. CEO of CloudFlare. Can we have a free premium membership in return for rum?” LulzSec asks.
#8 - Some in security industry thank LulzSec.
-A US security consultant who was not attacked by LulzSec thanks the group for an uptick in business.
[[xref:https://twitter.com/#!/JosephKBlack/status/77826828462592000|JosephKBlack]]Director of Operations at US PRIVATE SECTOR CYBER COMMAND
Joe Black ✔ Genuine
#9 - Brink users attacked
6 June 2011
Hackers 16, Sony 0 in the Sownage game, and also claims 200,000 users from the first-person shooter game, [[xref:http://lulzsecurity.com/releases/1000th_tweet_press_release.txt|Brink]]
, but does not release the details - an act designed to menace the game’s users, which the group will explain in its forthcoming manifesto.
#10 - “Tango down”
-Using a term usually reserved for soldiers that take down a terrorist, LulzSec claims “tango down” twice in two days for attacks on US Government websites.
It releases technical data from [[xref:http://lulzsecurity.com/releases/senate.gov.txt|Senate.gov servers]]
servers and names the administrator responsible for them.
Then on June 15, it targeted [[xref:http://lulzsecurity.com/releases/fuck_fbi_friday_PRETENTIOUS%20PRESS%20STATEMENT.txt|CIA.gov]]
. Earlier in June, it snatched a 180 login and password details to the website of an FBI spin-off, Infragard. The group facilitates information analysis and sharing between government agencies and the FBI.
LulzSec discovered that even technically advanced security professionals re-use their passwords across personal and corporate systems.
The target of embarrassment in this case was Karim Hijazi, founder of whitehat security firm, Unveillance, which specialised in botnets and data breaches.
“After a few discussions, he offered to pay us to eliminate his competitors through illegal hacking means in return for our silence,” [[xref:https://twitter.com/#!/LulzSec/status/81115804636155906|Lulzsec claimed]].
#11 Double-flip bricks through glass windows.
-While security vendors benefited from the heightened awareness of security that Lulz brought, some remained unimpressed at a moral and technical level.
Paul Ducklin, security researcher at Sophos Australia, touched on an issue that is central to the mindset of some in the security field: that they break systems as opposed to software developers who make them.
Ducklin conceded LulzSec’s activities were a “timely wakeup call” but questioned its educational value and criticised it for using simple methods of attack.
"Time spent throwing bricks through other people's digital windows doesn't actually teach anyone anything about glassmaking, glazing or civil engineering," [[xref:http://www.foxnews.com/scitech/2011/06/16/hacker-group-labeled-schoolboys/#ixzz1Rn4iZrvG|Ducklin told News Limited papers]].
"If you consider yourself a hacker and you have time to spare, grow some moral spine and use your skills for active benefit."
#12 More lulz.
-“Security Expert is jealous that schoolboys get more attention than Sophos without doing anything but tweet batshit things.” [[xref:https://twitter.com/#!/LulzSec/status/81415551313903617|Lulzsec wrote, June 16]].
“Sophos are the type of people who would judge throwing bricks through windows pedantically, deciding who threw the brick with more style.”
“Guess what Sophos, every brick throw doesn't have to involve a double-backflip and secret handshake; the window is f***ed either way”,[[xref:https://twitter.com/#!/LulzSec/status/81400981774012419|the group added]].
#13 Laughing at your security since 2011: an era of Lulz.
-Criticism of LulzSec’s activities is mounting, but it nonetheless celebrates its rapidly built following of 200,000 people on Twitter.
“In celebration of 200,000 followers, we are going to tweet about just getting 200,000 followers - looking forward to it.”
#14 - Happy 1000th Tweet & Welcome to 2011, an era of Lulz.
-The LulzSec manifesto is in part a defence of its actions, explaining that it publishes the data it hacks because if it was playing the “silent game” it would be no different to FBI whitehat affiliates who don’t tell their victims they have been compromised.
On the other hand, it warns that like every hacker, it does not reveal all its bounties.
“This is the Internet, where we screw each other over for a jolt of satisfaction,” was the final sentence of LulzSec’s manifesto.
Unbeknownst to everyone, possibly even the Lulz ship itself, their visit is coming to an end. Two days later, 19 year-old British botnet operator Ryan Cleary is arrested for his alleged role in a DDoS on [[xref:http://pastebin.com/HZtH523f|soca.gov.uk]]
and links to LulzSec.
Key parts of the manifesto
“While we've gained many, many supporters, we do have a mass of enemies, albeit mainly gamers. The main anti-LulzSec argument suggests that we're going to bring down more Internet laws by continuing our public shenanigans, and that our actions are causing clowns with pens to write new rules for you. But what if we just hadn't released anything? What if we were silent? That would mean we would be secretly inside FBI affiliates right now, inside PBS, inside Sony... watching... abusing...”
“Do you think every hacker announces everything they've hacked? We certainly haven't, and we're damn sure others are playing the silent game.”
“This is what you should be fearful of, not us releasing things publicly, but the fact that someone hasn't released something publicly.”
“Yes, yes, there's always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011.”
“This is the lulz lizard era, where we do things just because we find it entertaining. Watching someone's Facebook picture turn into a penis and seeing their sister's shocked response is priceless.”
“This is the Internet, where we screw each other over for a jolt of satisfaction.”
#15 - Shot at the Jester
-The same day it [[xref:http://th3j35t3r.wordpress.com/2011/06/25/lulzsecs-cloudflare-configuration/|releases a tirade]]
aimed at The Jester, an outspoken “hacktivist” who DDoSes jihadist websites and had claimed to reveal LulzSec’s CloudFlare configuration using a scripting tool he had developed.
by criticising his scripting tool, and claimed to write a much shorter one that did the job better.
#16 - AntiSec begins today.
-LulzSec releases its trope on the term “anti-security”, originally a movement against full disclosure of software vulnerabilities which anti-security’s supporters believed allowed corporations to profit unnecessarily. It declares war on whitehat security in [[xref:http://pastebin.com/9KyA0E5v|Operation Anti-Security #AntiSec]], but asks even its enemies to support its campaign.
“Whether you're sailing with us or against us, whether you hold past grudges or a burning desire to sink our lone ship, we invite you to join the rebellion.”
Call to arms to fight corruption, establishes top priority as stealing and leaking any classified government information.
#17 - Targets Arizona Police Department as part of AntiSec
-Training manuals, intelligence bulletins, email correspondence, phone numbers, passwords and addresses of Arizona law enforcement are released. The attack was claimed to be in response to racial profiling anti-immigration efforts in the state.
#18 - 50 days and the ship sets sail.
The group’s [[xref:http://pastebin.com/9KyA0E5v|final press release]]on 26 June was an eloquently written, wistful sayonara to the hundreds of thousands people offended, scared, awestruck and confused by its spectacle.
Did it help the cause of information liberationists like WikiLeaks? Perhaps. One thing the group’s antics did succeed in was bringing security, passwords and our sleepy sense of trust into painfully sharp focus.
#19 -[[xref:http://www.youtube.com/watch?v=L6O6sM2Shok|Follow Melbournite’s Rap News]]
- LulzSec rated few people, but one of the two people it vouched for was the alter ego of Melbournite, Hugo Farrant, Robert Foster, whose worldview clearly struck a chord with the group.