Saturday, June 25, 2011

LulzSec, Anonymous, ICE, FBI and users Part III

Get caught up on this series Part I, and Part II.
So I've been talking about these four groups and how they have been interacting. However, these groups are not interacting in a vacuum. Theses groups are either hacking governmental organizations or they are hacking corporations.When Anonymous and LulzSec (or any other hacking group) goes after a company, they are trying to get one of two things, some times both, either user data or  some sort of dirt on the company itself.

User information can range from names, locations, email address to IP addresses and credit card information. Since these guys are going after big companies, like Sony, Blizzard, and other gaming companies, they are most likely going after as much information as they can get their hands on. When it comes to dirt on a company, they go after big companies and small alike. They went after Bank of America in an attempt to reveal improper behavior to punish someone for the financial mess we're in. Small companies like HBGary was a bit of a grudge match. HBGary claimed that they were able to bring down all of Anonymous, which pissed the group off. HBGary was hack and completely discredited and also showed a lot of nastiness going on in the security world in general.

In some ways it's pretty obvious how stealing using information impacts the user. Recently, Sony's PlayStaion Network was down for a month, because of the security breach, which included some 1.3 million user's information being stolen including credit card information. In another case a game called Brink was hacked and 200,000 users information was stolen.

So, obviously these guys are in the wrong right? Well, yes and no. They think they are completely in the right here. They could have been doing all these things and not made it public. Just stole the information, then sell it to someone and make a lot of money from it. Or perhaps use it themselves. In some cases they did that. Anonymous ordered about 100 pizzas to a Sony Executive's house. In fact, Sony is currently being sued for the weakness of their network. We would not have known about it, without the hacker attack.

The US government is fighting back and taking down servers which have obvious impacts on users and hosting agents at the same time. However, both ICE and the FBI feel they are 100% in the right based on the law. ICE firmly believes that it has the required authority and rights to take down websites, and the FBI feels it can take whatever servers it needs to find these guys.

It's the immovable object versions the unstoppable force, with the regular internet users in the middle. Most users won't notice unless some website they are using goes down, or they find out their card has been hacked. Users that play games, watch movies, and create content have the most risk in this battle.

How can users mitigate their risk? Well, the best thing to do is to get a specific online credit card that has a low limit that will cover your gaming and general online purchases. If you're only spending $10/month on games then get a card that will have a maximum of $100 or something like that. Minimize the number of credit cards you use online, and try to avoid using debit cards as much as possible. Additionally, try to create difficult passwords, something with multiple capital letters, numbers and special characters if the website allows it. Such as: Dr.Wh0d^nn!t something more random might be better, but it's still a much more difficult password to deal with than drwhodunit. If you are unable to create passwords like this, then you should request it from the website you are using.

Finally, there's only so much you can do as a user. Some of this has to deal with how the internet is structured. I'll discuss this tomorrow. Protect yourself as much as you can.

The NY Times posted this article yesterday about LulzSec.


  1. Interesting series Ryan, very nicely done.

    However i'd have to disagree on your password strategy: as is explained in this funny comic:, difficult passwords are not the main defense anymore.

    Personally i try to diversify between important stuff and unimportant stuff and never use an important stuffs password for an unimportant issue and vice versa. But that is just me.

  2. You're right. I should have explained to use more than one type of password. However, the main idea I was trying to get across is that people need to be more aware of what they are doing on the web and to pay attention to protect themselves.

    And thank you for the support!