Conflicted about "hacktivist" activity such as the current actions of LulzSec and Anon? There appears, anectodally to be widespread public support (or at the very least, an absence of unequivocal condemnation) of these semi-organised hacking groups, who seem able to bring down online services at a whim. And a layman's belief that they must have some serious kit, expert knowledge and access to enormous resources, right? According to Sophos Labs Naked Security blog, nothing could be further from the truth:
"LulzSec website break-ins look to have been languorously orchestrated, using nothing more sophisticated than entry-level automatic web database bug-finding tools, available for free online.
In other words, LulzSec is a timely wake-up call to better security if you are still asleep at the wheel. Your customers' data is important - both to them and to you."
We InfoSec professionals need to heed the warning. It's going to get worse before it gets better. The Advanced Persistent Threat is actually the "Simple Persistent Threat". The online organisation without any weak spots, the impregnable network is a fantasy. We need to wake up, improve security but also reduce the potential impact of a breach, with encryption, data cleansing and segregation, and a decent Incident Response plan.
But for now, back to Sophos' take on LulzSec, for those that are ambivalent to their activities:-
"But the end doesn't justify the means. Time spent throwing bricks through other people's digital windows doesn't actually teach anyone anything about glassmaking, glazing or civil engineering. If you consider yourself a hacker and you have time to spare, but you're tempted by "hacking" such as DDoSes or gratuitous break-ins, why not use your skills for active benefit instead? Follow the lead of a guy like Johnny Long and hackersforcharity.org"
Friday Squid Blogging: Squid from Utensils
2 days ago