[Valid Atom 1.0]

sexta-feira, 24 de junho de 2011

LulzSec: Not Robin Hood, more like Bonnie and Clyde


The arrest last week in England of alleged LulzSec hacker Ryan Cleary apparently has not immediately slowed the organization (or disorganization) that likes to think of itself as some kind of anarchist front. Late on June 23, the group claimed responsibility for breaking into e-mail accounts of the Maricopa County, Ariz., Sheriff’s Office through its public website and stealing data.

Once again, this incident says more about the victim than it does the perpetrators. The group has claimed credit for a long list of smash-and-grab break-ins in its brief crime spree, and the hacks have mostly been commonly available, brute-force efforts that the victims should have been able to protect themselves against.

Shame on them for allowing themselves to become victims and for giving LulzSec anything to crow about.


Related coverage:

Group claims hack of LulzSec, as suspected member is formally charged

Risk management: The answer to security, or the problem?


We’re not talking about master criminals or good guys here. This isn’t Robin Hood. These guys are the cyber equivalent of Bonnie and Clyde, a pair of social misfits who received a lot of attention through their indiscriminate violence and who in reality were pretty inept as bank robbers and never gained the respect even of their outlaw contemporaries. It made for a good movie, but they were nothing to emulate.

Like those Southwestern bandits, LulzSec is thriving on publicity but has accomplished little.

“Their Achilles heel is they want attention,” said Rob Rachwald, director of security strategy for the security firm Imperva. “I’m not sure they are intentionally self-destructive, but they are very pompous and cavalier.”

They are invincible — as long as nothing happens to them. “You don’t feel the heat until you get arrested,” Rachwald said.

That process has begun. Not only are the police after them, but other hackers are turning on them as well, because their high-profile, smart-aleck attitude and penchant for theft is giving hacktivism a bad name.



But the attention LulzSec has generated is not all bad. “The positive part of it this is that it is forcing people to think really hard about their security posture,” Rachwald said. “It’s putting a focus on security.”

What LulzSec has been doing is not terribly sophisticated. As is so often the case, organizations are being breached and embarrassed because of inadequate security rather than because of the skill of the attackers.

There are sophisticated attackers out there, using sophisticated tools and exploits taking advantage of zero-day vulnerabilities to get through elaborate security. These are serious and deserve attention. But most of the breaches we see, including those from LulzSec, are the result of not having adequate defenses in place to protect against known threats.

Like the bad guys who don’t feel the heat until the police close in, systems administrators often don’t pay attention to a threat until they are attacked. The fact is, no one is immune from attack. If you already are high-profile, like the Senate or the CIA, that makes you an attractive target. If you do not already have a high profile, a successful attack will give you one.

In the end, security is about risk management. You cannot make yourself perfectly secure, but you should be able to achieve a level of security commensurate with the resources you are protecting. This would protect you against the efforts of egotistical wannabees such as LulzSec and deny them the attention they are seeking.






LAST

Sphere: Related Content
26/10/2008 free counters

Nenhum comentário: