Anonymous, LulzSec: Heroes or Villains?
Reacting to Breaches Motivated by a CauseQ: Are hacking groups like Anonymous and LulzSec heroes or villains?
A: It doesn't matter.
The bottom line for the IT security community is that it needs to protect systems and data, regardless of the motivation of the assailant.
You don't need to agree with assailants' motivation, most of us don't, but you must understand what's behind their action to help defend against their intrusions.
Here at Information Security Media Group - publisher of GovInfoSecurity.com, BankInfoSecurity.com and HealthcareInfoSecurity.com - we've been having lively discussions at our weekly editorial meetings about so-called hactivist groups such as Anonymous and LulzSec (see LulzSec: Senate, Sony Hackers Profiled). The general consensus is that regardless of motivation, Anonymous' and LulzSec's digital break-ins are wrong. What disturbs me most about their actions isn't that they breached IT systems but they stole and distributed personally identifiable information and passwords. Hackers whose sole purpose is to highlight vulnerabilities, and nothing more, furnish a warning to organizations that they need to toughen their security. Is that such a bad thing?
For me, the answer isn't so black and white. Would I be grateful to an intruder who broke into my home, leaving notes pointing out that he could have stolen cash left on a nightstand or smashed a treasured vase I inherited from my aunt and then left the house in the same shape he entered it? Probably not. Still, the break-in would teach me a valuable lesson about securing my home. Should that individual, if caught, be prosecuted? Probably. He violated the law, and there are consequences for illegal activity.
Anonymous and LulzSec aren't so innocent, though their actions aren't as malevolent as, say, the actors believed backed by a foreign nation who obtained 24,000 files related to military systems being developed for the Pentagon, revealed earlier this month by Deputy Defense Secretary William Lynn III (see Hackers Breach Most Sensitive Military Systems).
We may soon get a chance to see justice in action; the FBI nabbed this past week 14 individuals, accusing them of being part of the Anonymous group that hacked the payment service PayPal for cutting off donations to WikiLeaks.org, the group that leaked a quarter million diplomatic cables last year (see FBI Nabs 14 in 'Anonymous' Hack).
Of course, we don't know whether these 14 suspects were the brains behind the Anonymous attacks or merely those who became enamored with the group's cause and downloaded a tool to attack a website, as suggested by Hugh Thompson, chief executive of the cybersecurity firm PeopleSecurity, in an interview with NPR. "I'd say many of those folks are not the people who are pulling the strings here," Thompson says. "Some of them may not have even known that they were doing something illegal."
But such ignorance can be dangerous in the nether reaches of the Internet, where groups like Anonymous and LulzSec flock and people don't know one another, even those in the same group. "They have never met in person," Thompson says. "So when someone has a dominant voice, you're not quite sure what their personal motivations are. One concern is that they may be able to influence the group to do something that the group never intended to do."
As NPR's Tom Gjelten supposes in the report, an outsider could sway the hacking group to attack a company that a criminal gang has identified as a possible target under the guise of activism. Breaking into the company's website could offer the gang a chance to assess vulnerabilities that could be exploited for criminal purposes.
That, however, shouldn't matter to the IT security pros at that company, who must be vigilant, taking the necessary steps to prevent such attacks from succeeding regardless of the motivation.