LulzSec - The D. B. Cooper's of Hacking? |
Recently LulzSec posted documents from Arizona Department of Public Safety in a BitTorrent.
LulzSec's "Topiary," supposedly a LulzSec leader, recently allowed an interview with Gawker: "Worry is for Fools!"
The issues here are very interesting and complex. For one thing, most corporate IT security types I know are bound by a variety of limitations:
- First of all corporate security is dictated by, well, er, corporate types. Most companies (fortune 500) don't have their own elite teams of hackers. They "hire out" using the recommendations of consultants and so on to dictate what they should do security-wise.
- Second, most IT platforms are safe "Windows" servers. "Safe" because no on ever fires you for buy what everyone else uses. However, this ties you to Microsoft software updates as far as security is concerned. And these security updates always happen after someone is hacked and finds a "hole" that the hackers used to get in.
- Third, as you move down the corporate hierarchy from the CTO/Security Cheif down to the day-to-day security grunt in the outlying shop in Poh-Dunk Iowa you find a big loss of enthusiasm and skill. The Poh-Dunk security guy probably just graduated from the local IT school - he's young, inexperienced and lost. More than likely he went to the IT school because he was not good enough hacker-wise to get a job without it or someone told him it was a good living.
- Fourth, corporations, especially large ones, tend to be bumbling in the IT area. There is typically fairly high turnover and so there is little continuity between people and projects over time. Patches are installed according to rigid schedules for sure, but the consequences of the patches is often broken production systems - which puts pressure on the IT types - to not put in patches.
A group like LulzSec is likely comprised of a much different sort of person:
- I would be surprised if any of the LulzSec group were over thirty or if any of them had not been using computers by age five. This is their life and they devote all their time to it for sure. Like the best scientist and mathematicians they do their best work when they are young.
- I would doubt they have "real jobs" or are moonlighting in the "corporate IT" world. Instead I would guess they live at home still, or at school, and spend every waking moment on the computer hanging around in various chat rooms, plotting and trolling the internet for tidbits of information on security, hacking, access, etc.
- My guess is that they have the ability to commandeer any number of remote machines that have been taken over by various types of bots (probably stacked up ten or twenty deep) to act in their anonymous stead - more than likely those whose machines are actually host to their activities don't know it or even have a clue. They also have access to and are on top of the vast pool of "open software" - linux and Firefox in particular - which give them the ability to have innate understanding of how sites like Sony's PS/3 network are set up.
- I suppose most importantly is they do nothing else - perhaps bathing and some personal hygiene - but that's about it. This is their life. Kind of like Einstein while working on General Relativity. Its all you do.
At a personality level the LulzSec's are probably all Type A Alpha males - not what you find in the IT trenches at big corporations. Sorry girls, but this is like high end physics and mathematics - sure some girls do it - but relatively few.
Then there is law enforcement. I believe that in general, at a technical level, law enforcement cannot and will not ever duplicate LulzSec's IT prowess and skill. They cannot trace their bots, network routes, and so on and probably never will. Sure their high-end consultants can pour over network logs but, if I were LulzSec, I would have previously hacked in and checked the network logs myself for any traces I might leave. Good luck there.
Law enforcement will, however, win because LulzSec will accidentally leave a clue outside the IT world. Inside they are golden and have probably automated their hacking to the nth degree leaving little chance for mistakes or errors. (Like the Phone Phreak "Captain Crunch" of old stacking up ten levels of Ma Bell's trunk lines to hid his trail these guys will have bots and hacks on law enforcements own computers involved in the theft.) It could be arrogance, too. Sometimes, when the exploits are beyond belief, you just need to tell someone - an almost girl friend perhaps.
But, because of their personalities their mere actions in terms of lifestyle will probably tip someone off - kind of like the Unabomber Ted Kaczynski. And this is where the police work and day-to-day grind of investigation will pay off. Some distraught family member or former girlfriend will tip off the police somewhere in Europe or the US and that will be the beginning of the end.
Today they are right to say "Worry is for Fools!' - but that won't last because eventually someone's mom or sister will notice some disturbing parallel between their son's behavior and an FBI profile or news report. Their automated hacker tools will leave no trace. But very few have eluded police for high-profile crimes over a long period save for the likes of D. B. Cooper (who is probably dead anyway).
No comments:
Post a Comment