Big headlining breaches are all over the news these days and the star of the show recently has been the group lulzsec. Lulzsec is extremely popular on Twitter right now due to their extremely cavalier approach to securing the Internet. As their name implies, they are in it just for the lulz and because it is just for the lulz, they put no restrictions on themselves. They gain access to companies, post stolen information, and openly mock said company for not being secure enough to stop them. Some agree with what they are doing and some disagree but the big question I have see is “Is lulzsec a necessary evil that will get companies to actually pay attention to the security of their own systems?”
I have heard security guys, for years, preach that companies are only skating by with the bear minimum when it comes to the security of their IT infrastructure. Its the mentality that you set the bar just slightly higher than your competitor so that attackers peruse the other guy first. From a business standpoint, I can see where it makes sense. You (theoretically) come out ahead with much less resources spent on the issue but it does not take the persistent threat into account and lulzsec is proving that. Notice how I left “advanced” out of that last statement? Persistence can triumph with a lack of advanced. As it appears right now, lulzsec is not advanced at all as they are utilizing basic SQL injection tactics to obliterate these companies. But are they a necessary evil?
I would have to say yes. Currently, there is no system that leaves companies accountable for less than reasonable security practices. I would like to point out the TJX breach as a prime example. After a breach of almost 50 million credit card numbers (by a WEP network), it seems they are going strong. I believe that they are still going strong because they play the roll of the innocent victim and people identify with that and continue shopping there. If lulzsec were to have been responsible for the TJX breach, there would have been no incentive to stay quiet for personal gain, and TJX couldn’t have played the victim card because lulzec would be publicly bashing them for having less than standard security practices. You can’t play victim when the main reasons you were breaches was because you aren’t doing it right to begin with.
I am personally cheering lulzsec on. Yes, what they are doing is illegal. Yes, they are hurting innocent bystanders in the process. And yes, they are causing catastrophe but until we come up with a better system for making companies accountable….we might as well have some lulz as we watch them be humiliated.