It has been a busy year for hackers.  The mega-group Anonymous dramatically increased activity since November 2010.  Early in 2011, both RSA and Sony’s PSN had extremely high-profile breaches.  No one knows who breached RSA nor PSN, but after that a group appeared that was decidedly not shy about claiming the limelight for other hacks.

200px-Lulz_Security.svgThe group called itself LulzSec.  Lulz as in “LOLs” and “Sec” as in Security.  The character to the left was their avatar and their theme was loosely based on the Love Boat.  Their “method” was to hack into large databases, grab all the usernames and passwords, dump them on the internet and then write a boastful, sarcastic taunt claiming victory and putting the responsibility on the victims.

The usernames they compromised were “normal” internet users, such as the email addresses of thousands of women who participated in contest about “The Young and Restless” (a popular CBS soap opera).

At the height of their rise to hacker infamy, LulzSec posted a manifesto of bravado, justification and rationalization.  The manifesto is not safe to read at work but here are some of statements that show a bit of their hubris:

  • “Yes, yes, there's always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011. This is the lulz lizard era, where we do things just because we find it entertaining.”
  • “We release personal data so that equally evil people can entertain us with what they do with it.
  • “This is the Internet, where we screw each other over for a jolt of satisfaction.”

LulzSec’s casual disregard of innocents angered many other hackers.  One group, “Team Web Ninjas” dedicated itself to finding and publishing the dossiers of, or “doxing”, LulzSec.

In their arrogance, LulzSec made a fatal decision: on June 15 they attacked the CIA.  This brought them to the attention of the infamous anti-hacker hacker, The Jester.  The Jester (Th3 J35t3r in leetspeak) immediately announced that he was taking the gloves off.  LulzSec taunted him, but with-in 10 days, LulzSec abruptly disbanded itself.  They attempted to claim that it was their decision, but it was The Jester who had doxed LulzSec’s leader, by posing as a reporter and offering to pay for an interview.  Interesting, the LulzSec leader was himself posing as the Jester at the time!

LulzSec as a group has continued imploding and by the time of this writing, the real names of all the main players are either public, or probably will be as soon as people talk.  It turns out that LulzSec was sloppy in its identity management, and did not use secure channels and they did not trust each other.  As the pressure mounted, they exposed some of their own crew who in turn are pointing fingers and naming names.

What is the lesson in all this?  Is there something to be taken away (besides lulz from watching LulzSec implode)?  Many of the hacks that LulzSec performed against high-profile targets were trivial hacks (like a simple SQL injection against Sony Pictures) that yielded hundreds of thousands of user records.  Perhaps the lesson to be learned is this: if you have a treasure chest of user records, you should be obligated to run a web application firewall in front of your application; that’s just common sense.  To do otherwise borders on recklessness.

image

(LulzSec + Anonymous) vs. The Jester

Before the book is closed on the LulzSec story, one chapter remains unfinished: exactly who is “The Jester?”  As you may have heard, The Jester is the Pro-US anti-hacker hacker whose DDOS attacks chased Julian Assange’s WikiLeaks into Amazon’s EC cloud.  He has said that he is ex-US military and served in Afghanistan.  Some have claimed that he is ex-Special Operations.  Here’s a fascinating transcript of the hacker group Anonymous trying to figure out who The Jester is.  If you look closely, you can see him posing as one of them during the actual transcript (his signature is often “Stay Frosty", keep that in mind).

Both Anonymous and LulzSec have tried to uncover the Jester’s identity.  LulzSec clearly failed (and were ultimately undone by their attempt to bait him).  Earlier this week, 45 suspected members of Anonymous were arrested across Europe.  The Jester may be the last man standing in this hack-heavy year of 2011.