Lulzsec and Anonymous: Showing us that internet security is a joke

If you’re a bit slow off the mark, you may be wondering who ‘Louise Boat’ is. LulzSec and Anonymous have been topping all of the major news sites for months now.

That’s because they’re making a mockery of internet security on sites that you would expect to know better. That includes leaking the transaction logs of over 3 000 ATMs in the UK, hacking Sony and compromising the accounts of at least 37 500 people, taking out the CIA website, and now obtaining over a gigabyte of confidential data from NATO.

In the UK, LulzSec reportedly emailed the National Health Service informing the organisation of a vulnerability within its security and providing it with details for a fix, without causing any havoc there.

It’s difficult to know how to feel about these groups. Their motivations are usually not for profit, and while they occasionally push an obvious political message, they are generally fairly transparent about what they are doing.

Breaking into systems and stealing data is wrong on so many levels, but what Anonymous and LulzSec have surely done this year, has shown us that the state of internet security really is laughable.

Part of the problem is that we’re often dealing with a weakest-link situation. Google has just announced that more than one million users visiting its search-engine are infected with a virus that funnels search traffic to malware and scammer sites.

Recently, I covered the TLD-4 virus, which many anti-virus vendors are suggesting is unstoppable.

Now, Android applications seem to be leaking personal data as well. With so many internet users making use of online services on computers that are more than likely compromised, it is no wonder that a group of teenagers are able to break into any online organisation they choose.

While I would love to lay the blame squarely on all those dirty machines that people just don’t seem to look after, that’s not a fair evaluation of the problem.

Frequently, hacking groups break into sites using simple techniques, directly attacking vulnerable servers and looking for weaknesses in code or in the existing security measures that are in place.

That’s because software is always buggy. Within the last week, Oracle has released patches for more than 78 critical database server flaws. Secunia, a software solutions company specialising in vulnerability management, announced that the number of critical vulnerabilities, or flaws, that permit system access, has increased from 24 percent to 30 percent over the last 12 months.

We’re feature hungry and the businesses that provide software are profit-driven. That means that while software is being developed at a frightening pace, security audits are not high in the priority list, and there are more and more vulnerabilities that administrators need to keep track of.

It’s not entirely fair, however to blame the software vendors. Software is a complex game. Often application and server software is developed using a wide variety of components including libraries and tools that are not developed in-house.

There are so many things to keep track of that it is quite possible that a single line of code somewhere can open up a critical vulnerability within your application. The fact that vendors regularly release patches and updates, makes it pretty clear that they do take the problem seriously. The problem, however, is often exacerbated by the fact that systems just aren’t kept up to date.

SQL injections, file inclusion and cross-server scripting are still common methods of attack and yet patches and fixes for these problems are released regularly by most vendors. So if the fixes are often available, why aren’t systems being kept in check? It seems obvious that much of the blame lies with the people responsible for maintaining these systems in the first place.

A much more pervasive and invisible problem lies at the heart of all internet security. It never seems like a good investment until it’s too late. That means you can’t really blame systems administrators at all.

Often, keeping software up to date requires that a company invest in ongoing support contracts, renewed licensing and sometimes a complete security audit and overhaul of systems and code. Usually this involves spending a lot of money and resources on projects that are not going to see any financial reward.

As I have already pointed out, the number of vulnerabilities that an administrator needs to track is an ever increasing variable, and usually the number of applications and systems within any organisation is also growing.

Security is a highly specialised field and most businesses leave it in the hands of a systems administrator who is struggling to fit every other business requirement into his work day.

While the police rush around proving that Anonymous is not really that anonymous, and every last teenager in LulzSec is arrested, we might breathe a huge sigh of relief and believe for a millisecond that the internet is safe again. Unfortunately this is such an untenable position that it seems futile arresting these kids.

As long as businesses put security at the bottom of the list of priorities and see it as a financial sink, LulzSec and Anonymous will only prove to be the beginning of a growing problem at the heart of the internet.

Image: JuanOsbourne