LulzSec and Anonymous are the least of your hacker worries

@CNNMoneyTech July 25, 2011: 5:17 AM ET
LulzSec and Anonymous are the least of your hacker worries

Is LulzSec's odd cartoon logo the face of the new cyber super-villain?

This is part one of a week-long series on the ecosystem of cybercrime.

NEW YORK (CNNMoney) -- LulzSec took down the CIA's website in mid-June in an effort to prove to the world that the hacker group should be taken seriously.

But in the truly grand ecosystem of cybercriminals, LulzSec, Anonymous, AntiSec and other so-called "hacktivist" organizations are more of a nuisance than a serious threat. These fringe groups are the least worrisome of all cyber attackers.

"This isn't juicy stuff that they're getting from their attacks," said Eric Fiterman, founder of Rogue Networks, a security startup housed in an incubator backed by the University of Maryland Baltimore County. "They themselves don't know the full cybercrime ecosystem, and they tend to over-inflate their position in the hierarchy."

The global cybercrime universe is terrifying. Cybercrooks often work in organized crime syndicates like the Mafia. Some defraud banks, and many others are government agents that spy on foreign entities and corporations. They threaten our financial systems, our economy, and our national security.

Comparatively, hacktivists groups are the equivalent of graffiti artists, prank callers, hazers and bullies. Like pranksters, they tend to be young, poorly funded and immature. They seek to embarrass companies, individuals, and government agencies in order to make a statement.

They're also extremely disorganized -- the name "Anonymous" is much more of a brand than an actual organization. Solo hacktivists and independent, small groups often band together under its banner. One of the loudest of those groups became LulzSec.

That's not to say Anonymous and its offshoots should be ignored. Its ranks include many skilled hackers who have been able to steal information from the Senate and Arizona state police websites, as well as data from major corporations like Sony (SNE), Bank of America (BAC, Fortune 500) and Nintendo. They've also successfully blocked access to the websites of Visa (V, Fortune 500), MasterCard (MA, Fortune 500), the CIA -- and, most recently, several News Corp. (NWS) newspaper websites.

LulzSec and Anonymous often gain entry through the same methods that the real bad guys use. Typically, they use so-called "SQL injections," an attack method that has been around for more than a decade. Those attacks exploit vulnerabilities like coding errors in websites' internal databases in order to uncover information.

The key difference between hacktivists and more serious criminals lies in their motivation. Anonymous isn't interested in stealing for profit data like credit cards, payroll information or information critical to national security. Instead, they hack to gain attention for themselves and their causes.

What it actually takes to prevent a hack attack

Hacktivists go in, get out, and post whatever they were able to find quickly. They don't take the months or years it would take to really do significant damage.

Typically, hacktivists have gone after lists of usernames and e-mails associated with a particular site, but in some cases they've been able to access -- and make public -- embarrassing internal corporate e-mails.

If they can't quickly hack a site, they have also been known to launch "denial of service" (DOS) attacks that overload a website's server. That kind of attack isn't technically a hack, since it never compromises a site -- DOS attacks just prevent people from accessing the targeted website.

Hacktivists can be obnoxious. But dangerous?

Face to face with LulzSec

Right before Karim Hijazi was contacted by LulzSec in late May, he knew something was coming.

Hijazi runs a company called Unveillance, which monitors and attempts to commandeer botnets -- large groups of infected computers that cybercriminals use to perform malicious acts, ranging from sending spam to launching DOS attacks to disguising their location and identity.

On May 25, Unveillance's servers started to get hit with an unusually high level of activity from offenders attempting to break in. Hijazi took extra precautions to ramp up security and keep the attackers out. It worked, and he thought he was secure.

But what Hijazi didn't realize was that LulzSec was playing with loaded dice. From an attack LulzSec had previously launched against the website of Infragard Atlanta, a cybersecurity alliance Hijazi participates in, the hacking group was able to get Hijazi's personal e-mail address and the password to that account.

Unable to break into Unveillance's systems, LulzSec contacted Hijazi in an e-mail and put his password in the subject line. Hijazi said the group demanded money or access to a botnet, which it planned to use for future attacks.

Hijazi didn't comply. Soon after, LulzSec posted his work and personal e-mails online for all to see. They further embarrassed Hijazi by claiming that he had paid them to attack his competitors.

In the end, Hijazi's reputation was damaged, but LulzSec didn't get their hands on a botnet.

Muckraking and smear campaigns have so far been hacktivists' most successful method of attack.

For instance, LulzSec -- then operating under the Anonymous banner -- couldn't penetrate the systems of security contracting firm HBGary Federal. But it was able to crack open corporate e-mails and found some pretty salacious stuff, including plans to help the U.S. Chamber of Commerce, an industry trade group, undermine its political opponents through a sabotage campaign. That led to the resignation of HBGary Federal's CEO, Aaron Barr.

HBGary CEO Greg Hoglund acknowledged that hacktivists can indeed cause damage, but his view is that their capabilities are still very limited compared to their much more sophisticated cybercrime peers.

"What happened at HBGary pales in comparison to what happened to Sony," Hoglund said. "I was quite embarrassed that my e-mail was put online, but that was really the extent of it."

The attention hacktivists get is often far out of proportion to the the scale of their exploits.

"When the CIA's site went down, it was just a public facing site with no significant information," Hijazi said. "A denial of service attack is not a big deal. But to most people, hearing that the CIA went down sounds scary."

And that's exactly what LulzSec wanted. They love the attention. In fact, the CIA DOS attack was done because a Twitter follower accused them of taking on targets of little consequence. So they aimed for a high-profile victim -- with a low-tech attack. Even LulzSec acknowledged the trick's ease, tweeting, "People are saying our CIA attack was the biggest yet, but it was really a very simple packet flood."

If there's anything positive to come from all the attention they've been getting, it's that hacktivists have rattled the apple cart enough to shine a light on the global cybersecurity problem.

"The great irony of all of this is that LulzSec has had a positive effect on security," said Deepak Taneja, chief technology officer of Aveksa, a security software company. "They're nothing, they're pranksters. But all the press that they're getting has helped security permeate the C-suite level at companies. Now, they're waking up to the risk management they really need to defend against the more serious threats."

But hacktivists are just the very tip of the iceberg. The most serious threats are powerful, dangerous, and loaded with cash -- and they're operating in the shadows.

Coming Tuesday: How low-tech Internet scams harvest millions of dollars.  To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.