- The Washington Times - Thursday, June 30, 2011

The anarchistic hacker group LulzSec formed, attacked websites around the world and announced its breakup all within two months — demonstrating the speed with which cybersecurity threats develop in the Internet age.

Since emerging in May, LulzSec has:

• Decrypted and published the login names, passwords and other personal information of members of the FBI’s private sector partnership organization Infraguard.

• Broken into NATO’s online electronic bookstore.

• Posted confidential documents from a half-dozen foreign governments.

• Briefly taken offline the websites of the CIA and of Britain’s Serious Organized Crime Agency.

This week, the group — apparently less than a dozen strong — posted hundreds of internal documents stolen from the Arizona State Police computer network, including the home addresses of several officers and their families.

Cybersecurity experts tell The Washington Times that copycat groups already are emerging all over the world, that the hacker tools they use are widely available and that LulzSec’s nihilistic mindset will continue spreading.

“It’s the idea behind it that will be picked up,” said David Marcus, director of security research for McAfee Labs, noting that LulzSec lookalikes already had been founded in Brazil and Spain. “It’s hard to fight an idea.”

The group has used the slogan, “Laughing at your security since 2011,” and derives its name from “security” and the Internet term “lulz,” which means “loads of laughs.” LulzSec also has 280,000 followers on Twitter.

The group’s objective has been “basically to laugh at you and embarrass you about your poor security,” Mr. Marcus said. “They’re very hard to categorize.”

“We like crushing things; we like inside info,” wrote a member using the name Espeon about the group’s philosophy during an Internet chat with a security executive whose firm LulzSec had hacked. The group later published a purported transcript of the exchange.

Over the weekend, LulzSec issued a statement saying it was disbanding out of “boredom.”

Mr. Marcus said the group “crossed a line” in posting the home addresses and phone numbers of Arizona Department of Public Safety officers and their families. “That’s not funny, that’s not ‘lulzy,’ ” he said. “If you want to protest, protest. But that is putting people in danger.”

Many of the group’s attacks have used relatively simple methods, including SQL injection, in which hackers exploit very widespread and easily discoverable software security flaws to take control of websites’ databases.

Story Continues →