Hackers Battle For The Lulz


Tech news, and especially news about hacking, is often characterised as a niche topic beyond the interests of people who use the internet for shopping, email and other mundane purposes. If you’re not involved in security or IT or actively involved in the tug of war between "legitimate" use and the internet’s outsider elements, some of them illegal, then chances are you don’t consider yourself at risk — except from the odd Facebook scam post (COMPLETE THIS SURVEY TO SEE A HOT PHOTO OF MILEY CYRUS AND JUSTIN BIEBER KISSING etc.)

But over the last month, the internet has been ablaze with the exploits of a new hacking group, LulzSec, who have brought the endemic security and cultural foibles of the internet into relief. The story has bled through from the tech pages into the mainstream news, usually via condemnation of the group’s actions by  academics and internet security professionals.

LulzSec, whose membership, identity and location are the subject of fierce investigation by both security wonks and "ethical" white hat hackers, have been busy since their first attack on the X-Factor contestants database in early May.

They’ve crashed the FBI, CIA and US Senate public websites, shut down servers for the popular Minecraft, Eve Online and League of Legends video games, and hacked Sony’s user databases at a number of different locations.

In the Sony hack, LulzSec compromised the data of over one million users, and in their release, dubbed "Sownage", revealed the data wasn’t encrypted. The data, including usernames, passwords and coupon information was stored in plaintext, and was unencrypted. Lulzsec noted: "…it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it."

They also dumped the entire user database from porn site Pron.com, including the details of users who had signed up with .gov, .edu and military email addresses. Their other user dump of 62,000 user details from random sites included 280 .au email addresses, some from universities and other institutions.

The LulzSec Twitter account has been inundated with hilarious accounts of secondary attacks, where users, having used the same password across the internet, had their Facebook, Amazon, PayPal and Twitter accounts hacked. A favourite pastime of the internet set, chaos ensued — plenty of people inadvertently bought themselves porn or suddenly came out to their parents via Facebook. There were some benefits though — @ediblehearts tweeted a thankyou: "Boyfriend unable to sign on [to League of Legends], forced to hang out with me! Thanks @LulzSec!"

So how do they do it? Hacker groups like LulzSec employ two main techniques, Distributed Denial of Service Attacks (DDOS) and Structured Query Language (SQL) injection.

DDOS is the type of attack you’ll see reported in the press most often, and isn’t really hacking either. It works by harnessing a huge network of computers called a botnet, which all send requests to a server simultaneously. The server can’t handle the demand, and dies. Imagine it’s a parking lot, and suddenly someone decides to park a million cars — that’s a DDOS. If you’ve ever tried to buy tickets to the Big Day Out or Splendour, you’ve also taken part in an unintentional DDOS.

They’ve also been performing DDOS attacks the old fashioned way — by telephone, redirecting thousands of calls from their 614-LULZSEC switchboard to the customer service department of World of Warcraft developer Blizzard and the FBI.

SQL injections are a bit more complicated. The party making the attack sends information with a logical inconsistency or exploit to an external database (say, Sony’s user database). In response, the database might force a valid username, release all user data, or a number of other results. Basically, the hacker tricks the application or database into spitting out valid logins or dumping its data.

It’s a common security breach, and there are applications floating around the internet that automate SQL injections. Novice hackers called "script kiddies" don’t even need the skills to perform the attacks themselves.

There’s been a lot of disagreement over motive and method, especially over the decision to dump tens of thousands of user logins. The common complaint from both security companies like Sophos and white hat hackers is that it’s both dangerous and unethical, and does nothing to fix security holes in the first place. Some of LulzSec’s Twitter followers have argued that their actions will be used by the US government to introduce even more draconian regulation of the internet.

Apart from their stated purpose — doin’ it for the lulz — LulzSec’s 1000th tweet media release demonstrates why the divide between those who "get it" when it comes to the internet and those who don’t is going to become more important than ever.

"…we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be. But you know, we just don’t give a living f*ck at this point — you’ll forget about us in 3 months’ time when there’s a new scandal to gawk at, or a new shiny thing to click on via your 2D light-filled rectangle. People who can make things work better within this rectangle have power over others; the white hats who charge $10,000 for something we could teach you how to do over the course of a weekend, providing you aren’t mentally disabled."

To summarise — internet security doesn’t exist, and the security companies who sell security services are laughing all the way to the bank. Patrick Gray over at Risky.biz admits as much in his excellent article "Why we secretly love LulzSec", and says that the security industry, (many of them having started in a similar position) are having a great time watching the chaos.

Better that than the alternative: LulSec has humiliated FBI-affiliated security groups Unveillance and Infragard, thoroughly hacking their systems and posting company emails online. In this log of an IRC chat with Unveillance CEO Karim Hijazi, LulzSec member hamster_nipple tells Hijazi (moondog) to "stop testing the waters": "We straight up owned you and your company on our own because it is what we do. We target white hat security firms." Hijazi pleads, looking for help on infected Libyan computers: "… I am truly starving guys."

There are plenty of independent white hats trying to "dox" LulzSec too — trawling the web for their identities and posting them online. LulzSec has laughed off the doxing attempts on Twitter and their pastebin site. Likewise, Anonymous, the schizophrenic "hacktivist" group from which LulzSec claims to have "graduated" in 2005, have alternated between applause and condemnation for their new rivals. Much of the tension is from competition. Accusations that LulzSec are script kiddies inevitably get the reply: "u jelly?" (You jealous?).

Anonymous has also been targeted by internet security firms, notably HB Gary, who were also after Wikileaks. This is in spite of having taken a more ethical hacking approach in the last year or so, hacking in support of Wikileaks and the Egyptian revolution.

The new, public hacking culture and its legion of admirers puts us in an area of great moral ambiguity. If there really is no security online, and, as Crikey’s Bernard Keane has noted in his "War on the Internet" series, governments are launching more and more attacks online in order to preserve their legitimacy and stifle the new "interconnectedness", then is LulzSec a form of resistance? It’s unclear who to trust: the snake oil salesmen wearing white hats or the Lulz Boat?

Personally, I’m with LulzSec — and not just because as I’ve been writing this article they’ve declared war on behalf of games company SEGA, to retaliate for another group’s hacking attack — "We want to help you destroy the hackers that attacked you. We love the Dreamcast, these people are going down."

Questions about internet security won’t be answered for some time. Keane likens the advent of the internet to a paradigm shift like the reformation or industrial revolution. It’s going to take decades for us to make the necessary political and cultural changes to accommodate the new technology, so in a way we should probably be grateful for these early battles for the internet for shaping our thinking.

At any rate, following LulzSec’s exploits are hilarious, and isn’t that the most basic human impulse? Doin’ it for the lulz?


Like this article? Register as a New Matilda user here. It’s free! We’ll send you a bi-weekly email keeping you up to date with new stories on the site. And you can like New Matilda on Facebook here.

Want more independent media? New Matilda stays online thanks to reader donations. To become a financial supporter of NM, click here.

Launched in 2004, New Matilda is one of Australia's oldest online independent publications. It's focus is on investigative journalism and analysis, with occasional smart arsery thrown in for reasons of sanity. New Matilda is owned and edited by Walkley Award and Human Rights Award winning journalist Chris Graham.