Ethical Hacking for Lulz?

Using the motto "Laughing at your security since 2011!", LulzSec – short for Lulz Security – spent several months of their time embarrassing several companies by basically exposing poor online security.

These weren’t just any companies, however – LulzSec chose big names, such as Fox News, The X Factor, and Sony. Using comparatively basic attacks (such as SQL injection, the technique that they used against Sony’s PlayStation Network and a constant threat which the major electronics giant should certainly have been aware of) they were able to take down major websites, later claiming responsibility. The idea was to raise awareness of the lax security measures in place by bodies that should know better, although there was also an element of revenge involved; for instance, the Sony attack was in retaliation for the company’s pursuit of George Holz and his cracking of the PS3 DRM.

In the background, LulzSec is believed to be a handful of individuals with scripting and hacking skills and a possible previous affiliation with the Anonymous group who have been involved in various “hackitvism” campaigns over the past few years such as the 2011 leak of damaging documents purported to be from Bank of America.

Ultimately, LulzSec claim that they do what they do for fun: “for the lulz”. “Lulz” is a variation of the term LOLs, derived from the text speak alternative for the phrase “laugh out loud”.

You can currently find out more about LulzSec and the list of names that they have made look a little foolish on the website, http://lulzsecurity.com.

There is a lot more to all of this than just virtual vandalism, of course.

Whether it is LulzSec or Anonymous carrying out the latest cyber-attack (LulzSec’s claims that they have brought an end to their campaign will eventually be confirmed by inaction), and whether or not you agree with their actions, the fact of the matter is that they are able to highlight these security vulnerabilities with unnerving regularity and ease.

If your details were leaked during the recent PlayStation Network attack, for instance, as far as LulzSec are concerned all they were doing was underlining how insecure your details were. Using a denial of service attack, LulzSec were able to take down the CIA website in June 2011, while in the same month they revealed security holes in the British National Health Service and the US Senate website.

Pointing out these flaws is important, especially when the information at risk is sensitive.

While there is something refreshingly modern and grassroots about LulzSec’s hacking attempts against monolithic, faceless entities with little regard for the common man, there is also something worrying, something that gives the feeling that they have only looked at one side of the coin.

After all, if a business is put out of action for several days, it hits their profits, which in many cases impacts shareholder dividends and executive bonuses, and this in turn can be felt further down the line by the companies they trade with and their customers. A hack attack such as the one experienced by the PlayStation Network might have raised a few satisfied smiles from the Xbox Live community, but the effects of this will be felt at street level at some point with higher prices for games and hardware, or perhaps reduction in the number of titles appearing on PSN.

In addition to lost revenue, Sony is also the subject of various class action lawsuits by some of the owners of the 77 million credit card details that were thought to have been exposed during the hack.

That’s quite a price to pay for something done for Lulz.