Saturday, June 18, 2011

LulzSec–I am amused (chuckles)

Honestly. LulzSec is hilarious and in the process of their amusing merry-making they also happen to be making a very serious and important point.

They’re doing this because they can.

And the point that they’re trying to get across is that our data isn’t secure which puts the public at serious risk.

It’s a message that should be taken seriously.

Note that they are White Hat hackers. They did nothing illegal with the information like selling it to unscrupulous third parties. They simply hacked, provided the evidence that they hacked, how far they got with the hack,  publicized the hack, and lastly publicized what could have happened to the data had they been Black Hat hackers.

Like Anonymous, LulzSec appears to be a socially responsible hacking group and one that’s trying to give the Information Technology industry the push it needs to deal seriously with the security of online data and computer systems.

It’s a message which hasn’t taken despite the recent criminal and black hat hacks of government and corporate systems within the last few years, some of which have threatened the national security of governments like Canada when our financial systems were hacked this year.

At least part of the problem is the fact that government and corporate entities don’t really understand how these violations occur thereby leaving themselves open and vulnerable, often without realizing it.

I’m not a hacker but being in IT, I understand the process of hacking. I have to in order to write software code which at least attempts to block it. 

Of course, I make no guarantees, because I can’t, and neither can any other software developer. If one does, they’re lying to you. There’s always going to be a hacker out there who is better at breaking our code than we are at writing it, no matter how good we are. In addition, we have to balance security requirements with ensuring that the functionality requirements are met, some of which, by their very nature make the code less secure.

The best that we can do is minimize the threat by writing code that is difficult to break.

Serious hacking (not Script Kiddies who pick up malware online and distribute it) requires two components:
  1. A high degree of hardware and software knowledge. (Technical engineering)
  2. A high degree of social knowledge of the target to be hacked (Social engineering).

Serious prevention must have strategies for managing both of the above processes.

Probably the most important security point to remember is that the biggest threat doesn’t come from outsiders but from insiders.

It’s insiders that have both the Technical and Social knowledge required by outsiders to perform a successful hack. Whether those insiders are innocent dupes, criminals who have been bribed, or part of the black hat hacker team is irrelevant to the fact that they will have contributed to the insecurity of the system. It would, of course, be relevant if they were caught in order to determine what kind of charges should be laid.

So, when a Government MP or Corporate CEO, for example, has been either knowingly or unknowingly comprised and hires an Employee Recruitment firm based on the wrong reasons, that MP or CEO, may well have just opened the door to allowing their government or corporate data to be compromised.

And the insiders aren’t always, or even usually, the IT people.

Receptionists and Cleaning Staff are lucrative targets because:
1. They are generally poorly paid.
2. Receptionists have Social Engineering knowledge that would be useful to hackers as well as a log in/password to the system.
3. Janitors have access to all of the physical areas of the building which could allow them to attach hardware to server and computer systems which could be used to compromise them as well as provide hardware information.

Other regular employees are not immune either. Employee groups like Customer Service (client information) or HR (employee information) have access to information that would be considered confidential. They can provide log ins, useful social engineering information, or in many cases the actual data, to the hacker group which could be used to compromise the rest of the system.

If IT people are compromised, there is generally no need to hack the system because it’s already completely compromised from within, since they have direct access to the data and can do pretty much whatever they want to do with it.

There are ethical technical and social solutions to all of these problems that do not involve violating civil rights and are not draconian in nature.

Unfortunately the tendency appears to be to go with the draconian solutions which almost always involve civil rights violations, making employees feel untrusted and targeted or requiring all kinds of high level (and frankly useless) security clearances. It’s really a shame but that tends to be the direction that those who continue to cling desperately to the old-fashioned and out-dated Security and Intelligence Cold War psychological model, appear to prefer.

In my opinion, none of the alert parameters that they apply or look for make one iota of difference in terms of preventing these types of  organizational compromises. They just make the “suits” feel like something is being done and gives them something to tell people, thereby creating a sense of false security which contributes to the worsening of the problem.

And as long as that is the model out there in the IT Security and Intelligence World, LulzSec, Anonymous, and other White Hat Hackers  will continue to have a lot a fun at your expense, and the Black Hat Hackers will continue to seriously compromise our systems.

Now that they've attacked Canadian Federal financial systems what's next? Do we even know if they've hacked other Federal systems like the RCMP or Provincial Government systems like Ontario's eHealth, OPP, Provincial Financial systems?

On a personal note, while I do take all of the important steps to protect my systems security, my focus isn’t really on preventing anyone from hacking my system but rather on catching them. I don’t have insiders on my system but if I did, that would apply to both insiders and outsiders.

More fun that way for me but then, unlike most users, I have the technical skills to do it ;-D.

And so does the IT world.

Just a thought ….