[This was originally published on attrition.org. This is a rebuttal piece to “Lulzsec Ups The Ante” (June 16th, 2011) by Brian Honan.]
Reading Honan’s article will set the stage and provide backstory as to the topic at hand. Honan goes on to offer his opinion and commentary on the events surrounding LulzSec and their activities of breaking into systems and frequently disclosing all of the details. Honan and I have had some productive exchange on Twitter regarding his piece, but 140 characters isn’t cutting it. Blockquoted material is from Honan’s article.
“They claim to be highlighting how weak the security of these organisations is and to teach them a lesson in how to secure their systems. By any logical reasoning this is not a valid argument. “
First, they are highlighting the weak security in these organizations. This is not a “claim”, this is a fact. Breaking into a company, copying their sensitive data and then publishing it to the world demonstrates beyond doubt that some type of security lapse occurred. Second, “by any logical reasoning this is not a valid argument” is in itself illogical. LulzSec’s actions are logical; they break in, take information and publish it, demonstrating a security problem. That is logical. This is a matter of you just not agreeing with their tactics or logic, not the absence of logic.
“If you were to equate this to real life it would be similar to someone breaking into your house and leaving a note on your kitchen table to tell you that the lock on your front door was weak and while they are at it, taking some private information and posting it on a noticeboard for everyone to see.”
This is a very poor analogy. What household has personal information of 200,000 people laying on the kitchen counter? Brian changed his analogy saying what if we change average home to average business premise? Then we don’t need an analogy! This is exactly what is happening; the only difference is between breaking a application / network and breaking a window to get to the information.
“There is also the matter that in a number of cases Lulzsec has posted the personal information of the customers of the sites that were breached onto the Internet which now poses a security threat to those individuals. There are more ethical and acceptable ways to make companies aware that their security is not up to scratch and does not involve putting innocent people at risk.”
Honan is right, there are more ethical and acceptable ways to make companies aware of security lapses. However, there are three points you miss:
1. The security profession at large has been trying to do this for over 30 years with very limited success. Even now, we see breaches due to really basic vulnerabilities that have been reported for years. Parameter tampering should not exist in any application, especially banking, yet it does. Citi is a company that spends a ridiculous amount of money on third-party auditing of their applications, yet this somehow slipped through the cracks. How long must we stand on soapboxes and demand better security? How long must we play the responsible disclosure game to vendors that don’t learn from their mistakes? At what point can researchers finally be absolved of the responsibility and burden of caring about security when the vendor doesn’t?
While breaching a company and publishing sensitive information is not ethical, it is acceptable to some people (like LulzSec and others).
2. The act of disclosing a list of credit cards or passwords can easily be argued as a form of dysfunctional public service. Consider the whole picture; a company had personal information, kept it in an insecure manner and did not adequately protect it. If a criminal hacker took the information quietly, it may take months or a year to learn of the loss as investigators finally connect the dots to determine the source of the leak. In this case, LulzSec or any other group that takes the information without a financial motive immediately tells the world of the problem. Consumers are now immediately aware of the issue and can proactively protect themselves against abuse. The vendor can change passwords or issue new credit cards quickly, before a significant amount of abuse occurs. Neither scenario is enjoyable, but one way informs the consumer immediately; something that 5 years of growing breach legislation is finally forcing companies to do.
3. You say “does not involve putting innocent people at risk” in a manner that suggests you are ignoring who really put the consumer / end-user at risk in the first place. LulzSec didn’t put innocent people at risk; they made public the fact that people were already at risk. The blame lies with the vendors that are not taking adequate measures to secure sensitive data.
“It appears [LulzSec] launched a Distributed Denial of Service (DDoS) attack against the CIA website, http://www.cia.gov. At the time of writing the CIA website is not reachable.
I suspect that they may have tried to breach the website but were unable to do so and as a result have simply blocked all traffic to the site.”
There is simply no evidence that LulzSec tried to breach the site. Evidence exists that their modus operandi was to DDoS the site, not try to break in. The last few days have seen the group launch DDoS attacks against a number of companies without any apparent attempt to break in first.
“This may not expose any sensitive information or breach the security of the site, but it does present a very embarrassing situation for the CIA.”
It is only “embarrassing” because, over the years, the media has not explained how DDoS attacks work. Everyone is vulnerable to saturation attacks. Everyone. Claiming that the CIA should be embarrassed because someone with more bandwidth than they had took them down is like saying a person should be embarassed because they got beat up by five larger individuals. Sometimes, there is nothing you can do other than accept the fundamental laws of physics.