It used to be that hacking was all about finding security flaws in the computers of rich targets and exploiting the weakness for as much money as possible.
Now, it seems a lot of hackers are doing it just for fun. Or as they say in hacking parlance, they’re doing it for the “lulz,” a variation on the Internet acronym LOL for “laugh out loud.”
“There’s a kind of return to the way things were 15 or 20 years ago, in the ‘90s in particular, when we saw most cybercrime was kind of like digital graffiti and cyber-mischief,” said Chester Wisniewski, a senior adviser for security firm Sophos.
“It was harmful but it wasn’t for personal gain, it was mostly ego and competition. It seems the digital graffiti people have come back out of the woodwork, people who are doing hacking, data theft and website defacement for, as they call it, the lulz.”
A hacking group nicknamed LulzRaft made news in Canada last week after it claimed responsibility – through Twitter – for defacing the website of the Conservative party with a fake story about Prime Minister Stephen Harper choking on a hash brown. The group also claimed it had leaked party donors’ personal information onto the web.
But those actions should not be viewed as politically motivated attacks, said an anonymous spokesperson who replied to questions directed at the group’s e-mail account.
It just as easily could’ve been Jack Layton, Elizabeth May or Bob Rae who were featured in the prank. Those party leaders were only spared, the spokesperson said, because the NDP, Green and Liberal web servers had no obvious holes to target.
“It was just a hack of opportunity. In truth, we checked all the party websites and the Conservatives just stood out as being the easiest – and had the most potential for lulz,” the spokesperson wrote.
The group has since taken credit for another two lower-profile hacks, adding to the spree of cyberattacks that have stormed the web in recent weeks. Most have been triggered by the group Lulz Security, which has taken credit for repeatedly striking websites operated by Sony, PBS and even the U.S. Senate and the CIA.
There are different motivations and codes of ethics among hackers. So-called white hat hackers will notify IT administrators if they discover security holes, before any damage can be done by others, and sometimes work for corporations to hack-proof servers. On the other end of the spectrum are the black hats, who seek out ways to hack computer systems for their own gain. Somewhere in the middle are the grey hats, which Lulz Security is usually labelled as. They have no qualms about taking down web targets but generally aren’t looking to profit off any damage they cause.
In some cases, those lulz-seekers are choosing their targets for political reasons and harnessing their technical skills to take down unprepared targets, said Rafal Rohozinski, CEO of the Ottawa-based SecDev Group, a cybersecurity consulting firm.
“Hacking is a nascent form of politics,” Rohozinski said.
“You’ve got this new generation of digital natives, generally people between the ages of 14 to 25, who have grown up with this technology. That generation is coming of age, so to speak, in terms of having political views, social values, and the way they’re starting to express that is through online activism.
“It’s really the first indication of this digital-native generation starting to flex its muscles.”
The PBS hack – Lulz Security posted a fake news story reporting that the late rappers Tupac Shakur and Biggie Smalls were alive and well in New Zealand – was seen as retribution for the documentary “WikiSecrets” and how it focused on the personal life of whistleblower Bradley Manning.
And it’s believed that Sony has been targeted by hackers ever since it sued George Hotz, who developed an unofficial software update for the Playstation 3 that opened up unauthorized features, including the ability to play pirated games.
Wisniewski said he sympathized with Sony at first, but has grown increasingly tired of the company’s inability to safeguard customers’ information. Personal data from more than 100 million accounts has leaked online through a number of hacks.
Sony has been hammered by critics for leaving some personal data unencrypted, making it immediately legible once compromised, and for not protecting against simple hack techniques that are freely available online.
“It’s hard to defend them, the first two or three attacks I tried but then you start looking at it and you go, ‘Well, they haven’t done any of the best practices, they haven’t even done anything to respect their customers, they haven’t encrypted anything,”‘ Wisniewski said.
“Based on these incidents it does not look like they were trying, at all. The most recent attacks have been some of the least sophisticated trivial attacks to perform that are out there – they’re literally off the shelf tools you can download and point them at any website and it’ll tell you if it’s vulnerable.”
For its part, Sony has said it’s taking steps to prevent further attacks.
While it might be difficult or even impossible to thwart sophisticated and determined hackers, having a basic defence deters the majority who are simply looking for an easy target, Wisniewski said.
“You’ve got the guys going for the Hope diamond and then you’ve got the common street criminal, and when you’re talking about the common street criminal guy, which is probably 99 per cent of the Internet crime out there, they’re just looking for low hanging fruit, they’re opportunists.”
As Lulz Security becomes more and more brazen in choosing what sites to attack, Wisniewski wonders how long it’ll be before a major arrest is made.
“The U.S. government and some very powerful corporations have been victims of these attacks and as a result you can bet if it’s possible to find them there’ll be a lot of people looking for them,” Wisniewski said.
“Some of the stuff, as innocent as they like to make it seem, are serious federal crimes in the United States. I wouldn’t be all that comfortable.”
Earlier this week, three people with alleged links to the cyber group Anonymous were arrested in Spain, and another 32 were arrested in Turkey.
Those arrests may have a chilling effect and dissuade some hackers who have thought they were completely cloaked in anonymity online, said Rohozinski, especially because police have generally been unsuccessful in tracking down suspects in the past.”
“In real life we have rules and norms that keep people from doing stupid stuff, but we don’t have good policing mechanisms in cyberspace. The inability of police forces to actually either define it as a crime or successfully prosecute it means there’s a whole range of cybercrimes which effectively have become decriminalized.”