If there was one thing Lulzsec was good at, it was making headlines: The shadowy hacker group entered the public consciousness with the spark of a lit match, only to extinguish back into obscurity as soon as its one-and-a-half-month-long stick ran out.
If there were two things Lulzsec was good at, it was making headlines and SQL injections, or the alleged attack vector behind a number of the group’s more notorious hacks. But now that the Lulzboat has sailed back from wherever it came—the hacktivist group Anonymous?– we find ourselves asking what the group actually managed to accomplish during its brief romp through the Internet. And more importantly, what did those attacked actually learn from Lulzsec? How do their responses influence the different kinds of techniques you can use, as a consumer, to keep your “protected” data safe from the next wave of angry Internet hackers?
From Heroes to Zeros
At first, Lulzsec accomplished what Twitter users, to aspiring musicians, to cat owners all aspire to find online: fame. And then the group showed us all just how foolish we were for believing that Lulzsec actually cared about its popularity.
Isn’t it funny that we always seem to cheer for the “underdog” whenever a major hacking situation makes the front pages? Consider those poor X-Factor auditioners. Sure, it stinks that they got their names and associated information released out into the wild. But those of us watching from the sidelines probably just chuckled. The same holds true for Lulzsec’s release of Fox employee user names and passwords: No harm, no foul for those of us who don’t work at Fox. But watching a group of hackers stick it to the Man?
And we continued to chuckle. A PBS hack here, a false Tupac-is-still-alive story there. Yet another hack on a Sony property gave us plenty of room to talk about how dumb the company must be, and how ineffective its security policies are across all of its different properties, and how we can’t wait to see what those creative Lulzsec hackers get their hands on next.
Lulzsec then leaked even more data from a Sony site, and we smiled with grim satisfaction. We ran a cursory CTRL+F search on its database dump of accounts from Pron.com to see if we recognized any friends’ email addresses. And then we sat back and thought about all manner of things digital as Lulzsec DDOS’d our favorite gaming sites and titles.
Almost overnight, Lulzsec transformed from geek champion to geek archnemesis. Distributed denial of service attacks serve no purpose but to hack off users, and here came Lulzsec, indiscriminately targeting games like EVE Online (and CCP Games’ official site), Minecraft, League of Legends, Bethesda, Sega and even the gaming site Escapist Magazine.
And quickly, the world learned—or, perhaps, was reintroduced to the fact—that Lulzsec wasn’t just some hacktivist group looking to make a political point, showcase security lapses within common Websites, or be popular. They really were following their mantra to the core: selfless entertainment for entertainment’s sake, with no desire to claim a cult following if it might inhibit their ability to upset a great number of people at once.
The affereffects: What aftereffects?
Since Lulzsec’s main operations were based on entertainment value—coupled with fairly low-tech SQL injection attacks—there really wasn’t much that sites could do beyond cursory damage control once the self-described “Lulzboat” sailed for new shores. This was a situation quite different than the famed debut of the Firefox add-on Firesheep, a strong factor behind Facebook and Twitter’s decision to debut site-wide SSL encryption.
Throughout Lulzsec’s escapades, we can’t think of one instance where an attacked site voluntarily boosted security measures for its users in response to a Lulzsec data dump. It’s not as if Bethesda suddenly came out and said, “You know, Lulzsec hit us pretty hard. We’re going to throw an additional step into our authentication process to make it a lot more difficult for future leaked information to have any effect on your account login.”
Nope! The real victims of Lulzsec’s attacks—the users whose private account information was now made public across the Web–received the ol’ apology and promise. Sites insisted that they were very regretful about the breach and said that they would do everything in their power to plug holes and make sure it didn’t happen again. Which is all well and good, we suppose, but it did little to clear the fact that users’ data was already out in the wild.
Depending on how Web-savvy (or news-savvy) users were, they might not even realize that their logins, passwords, emails, and all sorts of other key data points were already being exploited by various unsavory Web users—not until it was too late, or not until they saw a brand-new $1,000 charge to their credit cards from a third-party Amazon purchase, for example.
And it’s not like Lulzsec’s irritating hacks ever rose to the level of Sony’s PlayStation Network breach, which ultimately forced the company to provide identity protection services for its humongous audience. You sure aren’t going to see ol’ Pron.com reaching out to help members after-the-fact, though we commend sites like Facebook that took Lulzsec’s releases, ran them through their own databases, and temporarily disabled accounts associated with leaked email addresses.
Lulzsec’s hacks were primarily done for their own benefit. And due to the nature of the attacks, there was little sites could (or wanted to) do to prevent future leaks of user data from having as big an impact. Two-way authentication and keyfobs don’t just drop out of the sky every time your favorite sites gets hacked!
What should users do now?
We’ve established that Lulzsec’s hacks were random and unaffected by the interests of “geek cred” of the particular audiences targeted. We’ve also established that sites, once attacked, offered little recourse for those caught in the Lulzboat’s crosshairs. What does that mean? It’s time for users to start taking security into their own hands. And we’ve come up with a few different techniques that people of all skill levels can employ to at least reduce the effects of a catastrophic data breach on your favorite sites.
You’re going to hate us for suggesting this, but the surest way to manage your own online security is to put a buffer between your real data and the public world. Instead of offering up your cell phone number for online accounts or offline forms that could ultimately find their way online, use a Google Voice number that you can forward to your real-life phone. Instead of an address, get a P.O. box. Instead of your real email address, get a stock email address from any of the free providers and use it to forward or relay all your messages to your actual address.
If an attacker gains access to any of these third-party accounts, guess what? They don’t have your real phone number, or your email address, or even your physical address. Your message archive and personal email account is safe, your real-life phone number remains hidden, and people aren’t going to show up at your door. It’s a lot easier to set up a new forwarding address than it is to change your permanent contact points.
Now comes the bad news: There’s nothing you can do when a hacker breaks into a website and steals your login credentials: That’s it. Your access to that site is compromised.
What you can do, however, is ensure that there’s no way this information could be used to mess up your account on other Internet sites. And you’re really going to hate us for this suggestion, but it’s time that you started using separate user names and passwords for every website you sign up for. We get it. It’s an annoying practice. It’s a lot easier to remember “12345” than 85 different password combinations for all of your social networking sites.
You can even use an online service like Lastpass, or a purchasable app like 1Password (or the freeware app KeePass), which all allow you to store your login credentials in various encrypted ways. But if that defeats the entire point of keeping your passwords in a single repository (that’s presumably hackable, given enough effort), you could always shoebox it: As in, writing down your passwords in a notebook and keeping that hidden somewhere in your house. Oldschool, but the method will at least give you more peace of mind that a breach of a single online account isn’t going to wreck your entire online identity (though we can’t say much about hacker/house burglar hybrids).
The Dawning of a New Lulz
We live in a scary digital world nowadays: The scriptkiddies of yesteryear that used to futz around with various “hacking” utilities in America Online have grown up. They’re IT professionals; they’re sysadmins; they’re gurus; they’re Anonymous. And some of them are angry or, at the very least, curious to see just how far they can push the digital envelope when it comes to accessing information they shouldn’t.
There’s no perfect way to prevent your account information from being swiped by someone else—not unless you cut yourself off from the Internet or websites completely. But that doesn’t mean that we all can’t stand to be a little safer with our online information. If Lulzsec has taught us anything, it’s that no site—no matter its size or scope—is sacred. The burden of proper security is slowly shifting to the shoulders of the user, not the corporation: It’s up to you to ensure that you’ve done everything you can to stay safe out in the wild, wild Web.