Sophos Cloud Optix
Just a day after the ‘retirement’ of hack-the-world-and-expose-random-people’s-data cyberbreach group LulzSec, and the official announcement is old news.
The world is already in a questioning frenzy about what happens next.
Sadly, the questions are often of an unanswerable sort: inviting speculation, possibly even wild speculation; or trying to squeeze conclusions from unsupportable, possibly even wildly incorrect, starting points.
Here’s one example. “Do you think,” one questioner asked me, “that LulzSec was as sophisticated as it made out?”
But LulzSec never made any particular claims about sophistication. Also, it trumpeted only its successes, and didn’t enumerate those sites which it tried to hack but failed.
Perhaps a better question might be, “Would the level of sophistication of LulzSec affect the criminality of its exploits?” (That’s a rhetorical question, though one you are welcome to ponder for yourself.)
Another interrogator wanted to know, “Has LulzSec really disbanded? What do you think they’ll do next?”
You’ll have to make your own mind up on that. You can read LulzSec’s press releases, and you can look at the LulzSec Twitter feed. Do you think they’re honourable, and can be taken at their word? Does it matter? Do we not collectively care enough about security and privacy to lift our game regardless?
And yet another inquisitor posed the question, “Has LulzSec quit because it achieved its goal of raising security awareness?”
Why ask me?
LulzSec’s own press release offers the explanation that: “we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere.”
That’s a rather generic and mixed bag of things LulzSec hopes to have achieved. Both love and hate, for example; both approval and disapproval.
Notably absent, though, is the explicit mention of achieving “better protected networks worldwide.”
You have to decide for yourself whether this outcome is subsumed in the desire to have provoked inspiration, or whether LulzSec’s inspiration was merely to persuade others to start stealing data too.
So, instead of allowing yourself to be sucked into the raft of speculation about LulzSec, its skills, its motivation and its achievements, why not take interest in some financially punchy evidence of the risk which cybercrime in general poses to our economy?
Last week, for instance, the FBI announced a co-ordinated twelve-country bust against a cybergang who’d been selling fake anti-virus, also known as scareware.
The estimates by the FBI, which are perfectly believable, is that this one group managed to trick close to a million people into spending an average of $75 each on software which is a worthless pack of lies. A believable pack of lies, but lies nevertheless.
So if you must speculate about cybersecurity and the lessons to be learned, try to guess what percentage of the total amount stolen in scareware scams alone each year is represented by this one $72,000,000 bust.
And if you’re still waiting for a “big moment” to help you decide that security is worth something, and isn’t merely a drain on operating expenses…
…then it’s time to take off your Joo Janta Peril Sensitive Sunglasses [*] and to smell the coffee. (We’ve enjoyed such a raft of mixed-up coverage so far in the LulzSec journey that one more mixed metaphor will surely do no harm.)
For a handy review of recent cybersecurity news, including plenty of issues in the more-interesting-than-LulzSec category, why not take a listen to the latest Sophos Security Chet Chat 65? This is a quarter-hour podcast which mixes news, opinion, advice and research:
(23 June 2011, duration 13:13 minutes, size 9.1MBytes)
[*] With apologies to the late Douglas Adams, creator of the Hitchhiker’s Guide to the Galaxy series. Properly known as the Joo Janta 200 Super-Chromatic Peril Sensitive Sunglasses, the JJ-200s are designed to help people develop a relaxed attitude to danger. At the first hint of trouble they turn totally black so you are unable to see anything that might alarm you. Zaphod Beeblebrox favoured a double pair.
Scareware… isn't most of the anti-_____ software out there in some form or another scareware? Indeed, this very post is leading customers towards fear and tries to incite them to buy more security, preferably from Sophos obviously. I am not in any way saying that I believe that security software is bad or useless but rather I am pondering why there is such fear. We live in a digital age and our information will end up the wrong hands at some point. It's just a reality (I've received at least 3 notices in the past two years about some of my information being stolen). We should be vigilant and work towards *smarter* security of our information but that doesn't just mean using software like Sophos makes. It means herding your information with the care and order of a master sheep herder.
I don't know whether to be offended or to smile. (Aren't most of the people who comment on security sites trolls in some form or another 🙂
I'm interested to know why you think our software might reasonably be considered scareware. We don't pop up fraudulent warnings before you've even visited our website (and, even then, we don't pop up warnings). We allow you to download our anti-virus for free (for ever on the Mac and for one month on other platforms) and to try it out in its entirety. That means detection, prevention and disinfection. We don't find stuff for free but only offer to clean it if you pay up.
Most importantly, we only report threats when we believe they are genuinely present. We only offer to clean then up if we think we can do so. When you ask our software to do so, we actually try to remove them.
Scareware, in general, reports threats which don't exist at all, tricks you into paying a fee, and then "cleans" them simply by stopping the fraudulent reporting.
LulzSec explicitly stated that it hoped it had created fear (see above). My article is asking you to ignore LulzSec and all the hand-flapping follow-up, to get rational about security, and to take it seriously.
So, ironically, we agree.
Technology is part of the solution. More accurately, it is part of the means by which we can solve our security problems. But as long as we are living at some sort of extreme (fretting over LulzSec, or looking at security through JJ-200s), we're getting nowhere.
And it's not enough to herd _your_ data like the most careful shepherd. You need to herd _my_ data carefully, too, especially if you collected it for your own commercial benefit!
After some of the core group's identities leaked both publicly (and privately), they knew or suspected they were being both electronically and physically surveilled. Being electronically surveilled from their originating endpoints negated the precautions they normally took to cloak their identities while online. It was just a matter of time from that point before the compromised members were going to v&, hence this weekend's announcement. @sharpesecurity
Why are there no penalties for companies that we entrust our data to when they prove to be incredibly incompetent and or dont invest what it takes to protect it to save $$$? If I paid a storage company to store my stuff and it turns out they left the place unlocked and unguarded and my stuff got stolen there would be legal consequences for them. Why are there no legal consequences for Sony, citibank, et. al.? they didnt do their jobs. Instead they are portrayed as innocent victims being exploited by groups like lulzsec.
One could almost view the LulzSec campaign as a very interesting experiment that poses a series of questions;
What happens when the paradigm shifts from the single skilled hacker, to the disorganised leaderless body of hackers to a group of hackers organised into their area of expertise like a team in a business? LulzSec demonstrated an optimised utility of skills akin to what can be observed in government agencies where the skills can be spread across a group individuals rather than one person to master all.
…
All that is gone is the constant updating on the LulzSec twitter account. There are still other "international" LulzSec groups DDoSing and trying to deface sites / steal information (e.g. LulzSecITALITY). Those working with the old LulzSec account on twitter are now helping Anonymous (e.g. AnonymousIRC feed on twitter). Nothing has changed.
Who cares?!?!? Seriously… these idiots have all the effectiveness of peeing in the ocean to watch the tide rise… it gives you a nice warm feeling but it doesn't accomplish anything. What a pathetic bunch of basement-dwelling losers!