Four lessons from LulzSec vs Murdoch

What next for the merry band of hackers?

Shooting for the Moon: Does this image hint at LulzSec's next target after The Sun, or is it just another distracting joke? (source unknown)

Shooting for the Moon: Does this image hint at LulzSec's next target after The Sun, or is it just another distracting joke? (source unknown)

LulzSec's hack of News International websites including The Sun yesterday is one of the highest-profile information security breaches in history. Down went a major media company. But it means almost nothing beyond the daily news cycle.

At first glance you might imagine that defacing a major UK website and posting a hoax story about the death of its proprietor would finally draw attention to information security issues. There's hackers out there, folks, and unless you get your act together now they will pwn you.

At second glance you might imagine that LulzSec's attack was even more effective. With multiple websites compromised, News International was forced to take its entire internet presence offline for hours while they figured out what was going on. Web, email, the lot, representing hundreds of domains. That's a massive loss of face, and presumably a hit on the company's productivity and advertising revenue.

But I'm not so sure.

I reckon there's four key lessons from yesterday's events.

Lesson One: LulzSec knows how to get attention. Kinda.

One aspect of LulzSec's timing is exquisite. In a week when Rupert Murdoch is dominating the news -- and not in a good way -- on the very eve of his public interrogation, they took out his British crown jewels. That hurts.

But the timing was also seriously flawed. The attack started at 10.30pm UK time and unfolded once most Britons were asleep. Relatively few visitors to thesun.co.uk would have seen the hoax story. The financial cost to News International was lass at that hour. There was no follow-up. The media could turn to the real story of the day: Murdoch's evidence before a parliamentary committee.

LulzSec's team is smart and entertaining, but they're hardly public relations professionals.

Lesson Two: No-one cares. Hacking is a circus that affects someone else.

We've seen hack after hack after hack, but civilisation has stubbornly refused to crumble. We've cried wolf a few hundred times too often. We're experiencing what Paul Ducklin from Sophos calls "hack fatigue".

We only hear about successful hacks, from LulzSec or anyone else, Ducklin told CSO Online. "They can crow about every time they have a success," he said, "but you never hear about the sites they never broke into."

Presumably a vast number of hacks are thwarted by our armies of hardworking infosec specialists.

And we only hear about attacks against high-profile targets. "Along with the whole meme about cyberwar and cyber terrorism, it reinforces the message, 'Little old me? I'm off the cybercrooks' radar'," Ducklin said. "That's the worry for me."

Lesson Three: Nothing has changed in years.

While some infosec experts have publicly spoken out against LulzSec as irresponsible criminals, I know they're secretly cheering them on. Public pranks, risqué repartee and blatant baiting of the victims is getting LulzSec the attention that more sober methods have failed to achieve.

"Thank you, LulzSec, for bringing this to my boss' attention. Now we can finally get the security budget we need," seems to be the message.

Really?

What's changed?

In the last year or so the mainstream media has run stories about hacks, or attempted hacks, of Google, the US Senate, Lockheed, AT&T, NATO, Epsilon, RSA, MySQL, WordPress, Paris Hilton and Mark Zuckerberg's Facebook fan page. In Australia think Vodafone, Lush, Monash University and even prime minister Julia Gillard's email. Only three months ago it was the Sony PlayStation Network data breach -- the fourth-biggest breach in history and for which LulzSec claimed responsibility.

After all those stories we held urgent meetings, changed our ways, and put infosec at the top of the business agenda, right?

Yeah right.

Lesson Four: No-one looks at their own information security until they themselves get hacked.

The very first hack claimed by LulzSec's was Fox.com, another Murdoch business. While defending a complex network against a determined adversary certainly ain't easy, News International does seem to have been comprehensively compromised.

I'd have thought that seeing a stablemate go would have led to a better defence. But perhaps not. Perhaps that's asking too much of human nature.

So what next?

We all get to speculate about LulzSec's next move. They claim to possess a News International email archive, and said they'd release it Tuesday. But even by US time there's only a couple of hours left.

"The Sun taken care of... now what about the moon...", LulzSec tweeted early this morning Australian time, linking to the image above. Hint? Or meaningless distraction?

Contact Stilgherrian at stil@stilgherrian.com, or follow him on Twitter at @stilgherrian.


 

Tags infoseccybercrimeLulzsechacknewssophoshoaxcyber terrorismPaul DucklinNews Internationalfox.comsecurity breachesMurdock

Show Comments