Sony: just another victim

One of the most interesting aspects of the Anonymous/LulzSec hacking of Sony is the opportunity to observe what effects it might have over time. Now a legal decision in Australia has placed Sony in a position that, I suspect, it finds very agreeable - as a victim.

While most security analysts seem to agree that the hacks themselves were fairly trivial - from both a technical perspective and in terms of immediate damage - the true significance, we were led to believe, would be the effect on Sony’s brand.

Indeed, various Anonymous and LulzSec mouthpieces were keen to point out the reputational damage they had wrought. Time after time, with both the Sony hacks and other high-profile attacks mounted by the groups, we were informed that the whole point was to sully the reputations of the organisations under assault so that customers would think twice about doing business with them. 

One Anon told me, in an IRC chat, that the desired result will be that, “people will think twice before they hand over their identities online. That people will stop and say ‘Do I KNOW this data is safe? Do I KNOW no one can hack into this system and use my information against me?’ “

However, this effect relies on one critical factor: it’s important for the general public to believe that Sony was culpable in this matter - that its poor security (and it certainly was poor) was a major contributor to the leak of its customers’ data. In that scenario, hackers such as LulzSec are more of a catalyst than a cause, or at worst the final link in a chain of insecurity for which the hacked company is partly, if not largely, responsible.

But…

I found, when researching an article on hacktivism for Network Security (available on Science Direct - subscription or payment required), that this is not a perception of the Sony hacks that is universally shared. In fact, I concluded that LulzSec’s desire to taint Sony by leaking the company’s databases faced a number of hurdles.

The first is that people forget. Try asking your friends (at least those who aren’t followers of hacktivism) about the incidents and you’ll probably find that many have forgotten all about the hacks, even if they knew about them in the first place.

Sony customers, especially members of the PlayStation Network (PSN) may be more inclined to remember. But I don’t think it’s too cynical to suggest that most of those will be inclined to forgive and forget just as soon as the next cool game comes out. I’ve certainly not heard of any large-scale abandonment of the PS3 platform.

Of course, many people will simply not understand that Sony was in any way culpable in this matter. IT security is a complex and arcane issue. Poor security is hard to explain to lay people. Yet everyone’s heard of hackers, a term now (alas) largely synonymous with ‘criminal’ in the public’s perception.

And so most people who remember that Sony was hacked will simply assume that the poor company was maliciously attacked by bad guys.

The Australian Privacy Commissioner, Timothy Pilgrim, agrees. He’s just ruled that one of the victims of the PSN breach was … wait for it … Sony. His investigations have concluded that Sony was not in breach of the country’s National Privacy Principles - that it was the nasty old hackers who ‘disclosed’ the company’s data, not Sony itself.

As time goes on, the number of people who remember that Sony was hacked will diminish. Given that those who realise the company was partly to blame will be a small subset of that number, and that those who care enough not to give Sony their business is a smaller group still, then Sony can probably rest assured that it is already over the worst.

At least, that’s as far as reputational damage goes. The firm is still facing lawsuits, including several class actions. But all that’s at stake there is money…

Time for a #LulzSec successor

Now that (allegedly) LulzSec spokesteen ‘Topiary’ has been arrested, and it’s only a matter of time before ‘Sabu’ is looking down the barrel of a law enforcement raid, maybe it’s time for a new group to take up the mantle of AntiSec.

We’ve already seen the rise of TrollzSec, which successfully outed Topiary’s true identity.

But there’s room for more on the open seas of hackerdom.

So, if you can watch Anonymous videos without laughing, own a pair of shades and can spell SQL, maybe it’s time to start your own script kiddie club. I offer the following as possible names:

SkullzSec - strictly for boneheads

DullzSec - we leak boring crap

ProllzSec - now anyone can be a hacker

DrollzSec - not funny, but maybe a tad amusing

GullzSec - for those who think security is strictly for the birds

NullzSec - hacking for zeroes

Password problems

Some of the recent stunts by online mayhem seekers LulzSec have highlighted (again) something we all know: it’s bad to use a password for more than one website.

Recently, LulzSec hacked porn site pron.com, obtaining customer logins and admin credentials for a number of other porn sites - all with passwords apparently stored in plain text. Leaving aside the embarrassment that will be caused by some of the account email addresses having .gov and .mil at the end, there’s a high likelihood that at least some of these credentials will be valid on other sites. LulzSec encouraged its followers to try logging into Facebook with them and, if successful, bring down shame on the luckless users. A tad unsporting that. Facebook responded by resetting passwords for any and all affected accounts.

At least the people most at risk from this stunt are likely to know about it. LulzSec’s only motivation appears to be glory-seeking. The group has certainly not espoused any coherent political, ethical or commercial agenda. Normally, when jackers purloin login credentials this way, they don’t tell the world. They’re after your money.

So getting your passwords in order is a smart idea.

I use LastPass to manage my online passwords. It’s not without its own risks. The service had a scare recently when its security was mildly compromised. And there’s an inherent paradox in the concept. LastPass enables you to create long, complex passwords using all four character types -uppercase, lowercase, numbers and non-alphanumeric (punctuation and ‘special’ characters). It will randomly generate these for you. (Okay, pedants - pseudo-randomly generate.) These are the kinds of password that are impossible to remember. Fortunately, LastPass remembers them for you and will enter them (automatically, if you want) into login forms.

That’s a good thing. The problem is that there’s one password it won’t remember for you - the master password you need to gain access to LastPass itself. In other words, the one password that you’re going to be motivated to write down, or make weak enough to remember, is the one that gives access to all your other passwords.

Oh well.

LastPass does have another very useful feature. It will run a security check on all your stored passwords. It looks for instances where you’ve used the same password on multiple sites and also judges the strength of each. It’s a sobering experience. I’ve just about finished the drudgery of changing my passwords on dozens of sites, ensuring each one is unique.

There is another benefit to carrying this check: it reminds you of sites you no longer use. And I think this is a security vulnerability that not enough people consider.

It may be just me, but I seem to have gone through a period where I would register at sites using one of a small pool of common passwords, all rather short and easy to crack, thinking ‘oh, I can’t think of anything stronger right now, I’ll fix that later’. And, of course, I never did.

Looking through my LastPass vault, I can see a surprisingly large number of sites where I’m registered but which I haven’t visited in a long while. The danger they pose is this: most of these sites are small or middle-ranking, the type that may not be the most secure. They’re the most likely kind of website to give up their password databases to hackers. Having now changed my passwords, any hackers would (hopefully) only have access to a password I don’t use anywhere else. But there’s always a risk that I’ve overlooked something. And, in any case, the hackers won’t know that, and will be encouraged, purely by my presence in the purloined database, to go pound on my other accounts.

It’s seems obvious to me that being registered at sites you don’t use is a small but real security risk.

So, as part of my current password hygeine practices, I’m revisiting these sites and closing down my accounts. I can only hope that they’ll actually delete my records (as they should), rather than simply marking them ‘inactive’.

Just in it for the lulz?

Supporters of Wikileaks are dedicated to freedom of speech - until, that is, someone disagrees with them.

“Humankind,” wrote Eliot, “cannot stand very much reality”. And so it is with a bunch of self-styled net buccaneers calling itself LulzSec.

The US Public Broadcasting Service (PBS) - normally the darling of those with anti-corporate leanings - has suffered the ire of these ‘hacktivists’. Apparently, it screened a documentary about Wikileaks that was not entirely flattering. Such insults are not to be borne.

There is a distinct whiff of Anonymous about LulzSec - the same whimsical self-regard, the same adolescent posturing. (There is, for what it’s worth, a #lulzsec channel on irc.anonops.in. It’s unlikely to be any kind of official hangout - I was the only person in there when I checked it out.)

Denial of service attacks and website defacement are the preferred forms of protest for Anonymous. They are high-profile acts that require little effort, minimal skill and involve relatively little risk. There is, of course, the unfortunate side-effect that the downing of a website effectively denies the legitimate owner of free speech. This form of hactivism is a way of shutting up those whose opinions differ from yours.

It seems that LulzSec is gearing up for more attacks on Sony - the target du jour of Anonymous. Meanwhile, the group is basking in the attention garnered by the PBS stunt - and getting attention was probably half the point in the first place.

The Internet is a powerful medium for activism and deserves to be used as such. But hacktivism needs to be driven by more than petulance. If the Internet is to serve as a place for taking a principled stand, it’s important that it does not acquire a reputation for immature pranks. Vandalism is not an effective way of engaging in complex debates about political responsibility, freedom of information or digital rights.

LulzSec has yet to elucidate any meaningful principles or agenda, other than a desire to show off in public. Assuming it has a genuine ethical purpose behind its behaviour, perhaps these will be spelled out on a forthcoming website. Let’s hope so.