• Motorburn
      Because cars are gadgets
    • Gearburn
      Incisive reviews for the gadget obsessed
    • Ventureburn
      Startup news for emerging markets
    • Jobsburn
      Digital industry jobs for the anti 9 to 5!

Lulzsec and Anonymous: Showing us that internet security is a joke

If you’re a bit slow off the mark, you may be wondering who ‘Louise Boat’ is. LulzSec and Anonymous have been topping all of the major news sites for months now.

That’s because they’re making a mockery of internet security on sites that you would expect to know better. That includes leaking the transaction logs of over 3 000 ATMs in the UK, hacking Sony and compromising the accounts of at least 37 500 people, taking out the CIA website, and now obtaining over a gigabyte of confidential data from NATO.

In the UK, LulzSec reportedly emailed the National Health Service informing the organisation of a vulnerability within its security and providing it with details for a fix, without causing any havoc there.

It’s difficult to know how to feel about these groups. Their motivations are usually not for profit, and while they occasionally push an obvious political message, they are generally fairly transparent about what they are doing.

Breaking into systems and stealing data is wrong on so many levels, but what Anonymous and LulzSec have surely done this year, has shown us that the state of internet security really is laughable.

Part of the problem is that we’re often dealing with a weakest-link situation. Google has just announced that more than one million users visiting its search-engine are infected with a virus that funnels search traffic to malware and scammer sites.

Recently, I covered the TLD-4 virus, which many anti-virus vendors are suggesting is unstoppable.

Now, Android applications seem to be leaking personal data as well. With so many internet users making use of online services on computers that are more than likely compromised, it is no wonder that a group of teenagers are able to break into any online organisation they choose.

While I would love to lay the blame squarely on all those dirty machines that people just don’t seem to look after, that’s not a fair evaluation of the problem.

Frequently, hacking groups break into sites using simple techniques, directly attacking vulnerable servers and looking for weaknesses in code or in the existing security measures that are in place.

That’s because software is always buggy. Within the last week, Oracle has released patches for more than 78 critical database server flaws. Secunia, a software solutions company specialising in vulnerability management, announced that the number of critical vulnerabilities, or flaws, that permit system access, has increased from 24 percent to 30 percent over the last 12 months.

We’re feature hungry and the businesses that provide software are profit-driven. That means that while software is being developed at a frightening pace, security audits are not high in the priority list, and there are more and more vulnerabilities that administrators need to keep track of.

It’s not entirely fair, however to blame the software vendors. Software is a complex game. Often application and server software is developed using a wide variety of components including libraries and tools that are not developed in-house.

There are so many things to keep track of that it is quite possible that a single line of code somewhere can open up a critical vulnerability within your application. The fact that vendors regularly release patches and updates, makes it pretty clear that they do take the problem seriously. The problem, however, is often exacerbated by the fact that systems just aren’t kept up to date.

SQL injections, file inclusion and cross-server scripting are still common methods of attack and yet patches and fixes for these problems are released regularly by most vendors. So if the fixes are often available, why aren’t systems being kept in check? It seems obvious that much of the blame lies with the people responsible for maintaining these systems in the first place.

A much more pervasive and invisible problem lies at the heart of all internet security. It never seems like a good investment until it’s too late. That means you can’t really blame systems administrators at all.

Often, keeping software up to date requires that a company invest in ongoing support contracts, renewed licensing and sometimes a complete security audit and overhaul of systems and code. Usually this involves spending a lot of money and resources on projects that are not going to see any financial reward.

As I have already pointed out, the number of vulnerabilities that an administrator needs to track is an ever increasing variable, and usually the number of applications and systems within any organisation is also growing.

Security is a highly specialised field and most businesses leave it in the hands of a systems administrator who is struggling to fit every other business requirement into his work day.

While the police rush around proving that Anonymous is not really that anonymous, and every last teenager in LulzSec is arrested, we might breathe a huge sigh of relief and believe for a millisecond that the internet is safe again. Unfortunately this is such an untenable position that it seems futile arresting these kids.

As long as businesses put security at the bottom of the list of priorities and see it as a financial sink, LulzSec and Anonymous will only prove to be the beginning of a growing problem at the heart of the internet.

Image: JuanOsbourne

Author | Rowan Puttergill: Columnist

Rowan Puttergill: Columnist
Rowan Puttergill is a technology evangelist and software engineer with a long career working in enterprise environments. He brings with him the experience of being the Technical Editor at SA Computer magazine, and a career history as a technical author. He is a huge advocate of open-source technologies, and... More
  • Owlafaye

    A “growing problem at the heart of the Internet”

    It is already a huge problem.  Not only viruses and malware, break-ins and dysfunctional search results…the entire focus of the Internet has become ADVERTISING.

    It is becoming impossible to get information…the multiple of layers of advertising entail hours of search for information on a subject that can be found in a library in 10 minutes!

    The Internet is no longer a time saver, there is no “instant information” any more.  We are spied upon and our desires are mis-routed in an attempt to get us to BUY SOMETHING.

    Buying anything through the Internet entails great risk and generally a “no returns” policy in that it is almost impossible to get the vendor to reply much less refund.

    Your bank account is compromised if you have used your credit card on the Internet just once.  Companies such as Pay Pal are engaged in outright fraud in that they do not respond to customer complaints of fraud in their accounts and getting a refund from Pay Pal is impossible unless you re-enter a new credit card number.  They DO NOT send checks!  Even when you have a clear case of fraud and present it to Pay Pal and like businesses…they simply DO NOT RESPOND!

    The Internet has become a joke.

    Computers NOT hooked to the Internet are still a great labor saving device and information storage is a boon to business and private parties…but hooking this system into the Internet is RIDICULOUS….you are sticking your neck out to HERE.

  • None

    Anon and lulz are hypocrites. They even had there own website hacked by real hackers. All this security bs by them is just a cover for them to commit their crimes.

  • Pingback: Defcon ‘Kids Village’ guides hackers of the future | memeburn()

  • Pingback: What does the Shionogi incident teach us about Virtualisation? | memeburn()