After fifty days of causing mayhem and running about the Internet unharmed, LulzSec has decided to disband as an organization. The constituent members remain at large, mind you, and surely they haven’t lost their taste for private data. There almost certainly will not be a reduction in break-ins, although they may now be more discrete. If LulzSec was unique in any way, it was that they eagerly publicized their activities.
The way LulzSec put their exploits out in the open is new, and it should serve as a wakeup call to the general populace that system security needs to be taken much more seriously. It isn’t a secret to I.T professionals that hacks occur on a frequent basis. Yet it tends to be in the best interest of the victims to keep break-ins under wraps. While some companies are slowly developing policies to alert their users, if a compromise doesn’t legally dictate that the company must disclose the event, it remains likely that they will not; there is little to be gained, and much to be lost, by letting the world know that your systems are not secure.
Indeed, what LulzSec has shown us that the systems of major corporations are not secure. We will never know how many of the affected companies would have confessed to the public that they were hacked. We do know that Sony was not eager to come clean (it is curious to wonder whether this dishonesty is what made Sony such a popular target for the hacker group). We will also never know how many similar breeches occur on a daily basis, committed by hacker groups less eager to be in the spotlight, or whether LulzSec divulged all their attacks. There may be compromised systems they haven’t told us about.
What we do know for certain is that for fifty days, a small group of hackers penetrated numerous corporate networks and denied service to many more, and remains almost completely unmolested by law enforcement. Even after they breached the FBI, Air Force, and CIA, the governments of the world seemed powerless to put a stop to it. The only ones able to counter attack, it seems, is other hacker groups.
This is a serious problem for everyone involved. If law enforcement is unable to put a stop to widely-publicized attacks, they surely won’t be able to fight hackers who keep their exploits under wraps. Logically, if a hacker targets a network for profit (say, a credit card processing system), he isn’t going to brag about it to all of twitter or post the contents on Bittorrent. We can’t know how often this occurs, but we can infer from the past few weeks that when it does, the perpetrators likely won’t face any repercussions from the police.
Additionally, the ease with which LulzSec exploited these networks is frightening, to say the least. Unfortunately, it is difficult for the general public to appreciate the meaning of compromises via SQL injection; but this type of vulnerability, especially in a network of a company such as Sony, is worrisome. If Sony cannot maintain a higher standard for coding practices, we have to ask what level of security auditing other companies are performing on their networks. The fact that one of the LulzSec releases is a list of routers on the Internet that are still using default usernames and passwords is just another example that people simply aren’t taking network security seriously enough.
Unfortunately, I fear that with LulzSec breaking up, its members won’t feel as free to publish their exploits on the Internet. The constant bombardment of compromises will continue, but they will cease to appear as headlines on the nightly news. This falling out of the public eye might just be the absolute worst thing that can happen at this point. We need to be pressuring our governments and our businesses to take security seriously – or none of us will be safe.