For those of you that have been following security news lately a group called Lulz Security has been hitting some big name targets lately. First they started off with FOX then moved on the PBS and the latest today includes Sony. First off let me make a note that this is the fourth time Sony or one of its subsidiaries has been hacked within the last 45 days.
While I don't condone hacking (unless you have permission first of course), can you really blame Lulz Security? Seriously....when you leave your house do you leave the front door open? If you run into the store for an hour do you leave your laptop and cell phone on the front seat of your car with the windows open?! It's not like Lulz Security is pulling off crazy insane hacks to compromise these sites...they used a basic SQL injection attack! Not to mention that everything they stole from Sony was stored unencrypted....let me say that again UNENCRYPTED! What is wrong with you Sony?!
Once the PS3 network was compromised and 77 million people had their personal information stolen don't you think that you should started encrypting your other databases? I mean seriously why would you take such a risk with peoples personal info like that?
Another thing that I wanted to point out is that Lulz Security has been hit hard by DDoS attacks since announcing that they have made the data they stole available for download on their site. As of this morning their site was unavailable although I'm sure it will come back up again later today. Why would I assume it is going to come back up...well because the team over at Lulz Security actually *knows* a thing or two about security and are leveraging a product from CloudFlare. This not only super charges their site providing them with more bandwidth, but also secures their data in the cloud. Lulz Security has also made mention in their Twitter postings that their F5 is warding off attacks like they are nothing.
Again while I don't condone hacking...kudos to Lulz Security for being able to leverage technology correctly showing companies like Sony what it means to implement a website securely and without issues :-P Companies really need to start asking themselves...if hackers can break into their networks and websites...why is it that their very skilled, highly paid, security team can't protect against these attacks? Many it is time for companies to start re-reevaluating their security staff and stop blaming people like Lulz Security for breaking into their site!
I will update here as more information about these particular hacks or more hacks from Lulz Security develop.
I hate reading articles like this from people who obviously don't take internet security seriously. They provide kudos to the hacking groups that take the websites of large corporations down instead of being ashamed for their actions. Is this the type of person you are? Blaming victims for their crimes against them? Praising those who hurt others?
ReplyDeleteYou make it sound like inserting a basic SQL injection attack is like surfing google.com and is common knowledge, just like finding a car with the windows rolled down and the laptop just sitting on the seat wide open for anyone to take. I'm not sure of the steps myself, but I am sure it is much harder than that. Plus you have to hide your tracks well.
And getting hackers to show corporations how to handle security is like going on a murdering spree with a gun to prove a point to the gun store that they shouldn't have sold guns to people like you. It's backwards talk.
Hopefully there are people investigating the actions of Lulz Security as we speak and will have CloudFlare remove their services from the group. More people need to take action against Lulz Security so they can take their Lulz boat and sail off into the distance (if you know what I mean).
First of all I take internet security very seriously. I am not condoning or supporting the hacking of Sony by Lulz Security I'm simply saying that they are leveraging technologies to protect the data they stole in a way that other companies...like Sony...should have been protecting data in the first place!
ReplyDeleteSecondly anyone performing an SQL injection against a company like Sony is not just an average user. Knowing SQL well enough to be able to perform something like this would require a user to have an intimate understanding of web applications and how they work, application security, and programming. Given the fact that Lulz Security pulled this off, hide their activities, and where (so far) successful shows you that this isn't a 13 year old kid that "Googled" something. My reference to the car window being open was aimed at Sony because they were the ones that left the window down by not encrypting anyones data.
Finally if you don't think that the FBI, NSA, and Japanese equivalent aren't looking for everyone and anyone involved with hacking Sony plus the 10+ other big names companies this year you must be crazy. Hacking is a serious crime that no one under any circumstance should take lightly. If you are stupid enough to hack something for the "fun" of it then you deserve to be caught.
I would imagine that CloudFlare will eventually remove their accounts and data when one of the government agencies leans on them enough...but ask yourself why Twitter, Facebook, etc haven't removed their accounts either? It's not just about Lulz Security or anyone else hacking into companies for that matter....it's the fact that large companies like Sony with security engineers, huge budgets, and IT staff don't take the necessary measures to protect anyones data.