I haven't seen this posted on DKOS anywhere, so I'm posting it. Hopefully it will be of interest to techies and non techies alike. This being a first time posting a diary, I hope you'll be gentle. Also note, I'm trying to be as plain spoken as I can be and explain some of the terminology to save googling. (Also, why isn't googling recognized by this spellchecker...honestly it's been years since it came into common parlance)
Again, first diary, be gentle.
For those not in the know, lulzsec is a hacker group which has gained recent fame for their attacks on the Sony network and PBS. Recently, in response to the pronouncements from our administration and NATO that "cyber-attacks" would be considered military attacks and subject to military reciprocity they issued a response, "Challenge accepted."
That response and some details, as well as a nice peek into the world of IT security are below the fold.
Anyone who doesn't want to read the crap I wrote, by all means the meaty links of tasty goodness are
http://nakedsecurity.sophos.com/...
http://jadedsecurity.net/...
Lulzsec, a hacker group that's been in the news of late for exploiting Sony's incompetance and attacking PBS, recently held an operation called "F**kFBIFriday." The operation was in response to idiotic pronouncements and, apparently, policy changes that now consider "cyber-attacks" to be open to military retaliation.
As part of the operation they attacked the Atlanta branch of infosec.
from http://nakedsecurity.sophos.com/...
Infragard describes itself as a non-profit focused on being an interface between the private sector and individuals with the FBI. LulzSec published 180 usernames, hashed passwords, plain text passwords, real names and email addresses.
The passwords were not all cracked apparently, due to many users using passwords of responsible length and complexity. The remainder were either poor passwords, or improperly salted (a term referring to the addition of data to a password as it's saved in a database to make it even harder to break). After defacing the site, they went on to try the passwords on multiple other sites, and found that multiple parties were reusing passwords in violation of good security practice and the best pratices manual of infraguard itself.
One particular user was singled out, one Karim Hijazi. Apparently he used the same credentials for both his corporate and gmail email accounts. This person was apparently contacted by lulzsec and, according to their logs, offered them cash in exchange for a combination of not telling anybody he'd been hacked and attacking his competitors.
Karim Hijazi runs a site called http://www.unveillance.com/ which bills itself as a security firm. This is the part that is perhaps most interesting as a behind the scenes peek into the scummy world of security companies and why hacks like this aren't all bad (and hilarious).
Mr Hijazi is apparently one of many in the ITSec field for the long con. He seems to have established a company that bills itself using whatever buzzwords are currently the most impressive sounding to people with cheque-books and sells them a product that doesn't work.
The specific combination of con's he uses includes not only the "throw buzzwords at the boss" but also the classic "infect them then cure them." To this end Mr Hijazi has apparently paid money to an Indian registrar for a revolving number of domains that change monthly for use as "command and control" nodes for a bot-net. This bot-net would then be used to attack his quarry, and he can then rush in and say "see I saved you!" The cheques are cut, and everyone is happy.
What, you may ask, happens if they discover they've been had and the "product" they've bought does nothing? 99.99% of the time, nothing. If your job hinged on looking like you knew what you were doing, would you let it be known you were incompetent? Its a similar situation to where a bank pays blackmail to criminal hackers who demand money to not bring down their systems. They absorb the cost quietly, and move on till the next time.
The extent of his setup and a great deal of background information can be found here;
http://jadedsecurity.net/...
I salute jadedsecurity since, at 4am I'd probably roll over and wait until noon to bother to investigate...in fact that's what I DID do.
This is a subject that doesn't get much play in the media beyond "hackers attacked site X." The reason isn't just the technological complexities, but that entire industries and reputations are built on this sort of thing. Specifically, anti-virus industries have for decades exploited an unsuspecting public and convinced them that their products protect them which they do not.