LulzSec and Anonymous: showing us that Internet security is a joke

2011-07-27 00:00

IF you’re a bit slow off the mark, you may be wondering who Louise Boat is. LulzSec and Anonymous have been topping all of the major news sites for months now.

That’s because they’re making a mockery of Internet security on sites that you would expect to know better. That includes leaking the transaction logs of over 3 000 ATMs in the United Kingdom, hacking Sony and compromising the accounts of at least 37 500 people, taking out the CIA website, and now obtaining over a gigabyte of confidential data from Nato.

In the UK, LulzSec reportedly e-mailed the National Health Service informing the organisation of a vulnerability within its security and providing it with details for a fix, without causing any havoc there.

It’s difficult to know how to feel about these groups. Their motivations are usually not for profit and while they occasionally push an obvious political message, they are generally fairly transparent about what they are doing.

Breaking into systems and stealing data is wrong on so many levels, but what Anonymous and LulzSec have surely done this year, is show us that the state of Internet security really is laughable.

Part of the problem is that we’re often dealing with a weakest-link situation. Google has just announced that more than one million users visiting its search engine are infected with a virus that funnels search traffic to malware and scammer sites.

Recently, I covered the TLD-4 virus, which many anti-virus vendors are suggesting is unstoppable. Now, Android applications seem to be leaking personal data as well. With so many Internet users making use of online services on computers that are more than likely compromised, it is no wonder that a group of teenagers are able to break into any online organisation they choose.

While I would love to lay the blame squarely on all those dirty machines that people just don’t seem to look after, that’s not a fair evaluation of the problem.

Frequently, hacking groups break into sites using simple techniques, directly attacking vulnerable servers and looking for weaknesses in code or in the existing security measures that are in place.

That’s because software is always buggy. Within the last week, Oracle has released patches for more than 78 critical database server flaws. Secunia, a software solutions company specialising in vulnerability management, announced that the number of critical vulnerabilities, or flaws, that permit system access, has increased from 24% to 30% over the past 12 months.

We’re feature-hungry and the businesses that provide software are profit-driven. That means that while software is being developed at a frightening pace, security audits are not high on the priority list and there are more and more vulnerabilities that administrators need to keep track of.

It’s not entirely fair, however, to blame the software vendors. Software is a complex game. Often application and server software is developed using a wide variety of components, including libraries and tools that are not developed in-house.

There are so many things to keep track of that it is quite possible that a single line of code somewhere can open up a critical vulnerability within your application. The fact that vendors regularly release patches and updates makes it pretty clear that they do take the problem seriously. The problem, however, is often exacerbated by the fact that systems just aren’t kept up to date.

SQL injections, file inclusion and cross-server scripting are still common methods of attack and yet patches and fixes for these problems are released regularly by most vendors. So if the fixes are often available, why aren’t systems being kept in check? It seems obvious that much of the blame lies with the people responsible for maintaining these systems in the first place.

A much more pervasive and invisible problem lies at the heart of all Internet security. It never seems like a good investment until it’s too late. That means you can’t really blame systems administrators at all.

Often, keeping software up to date requires that a company invest in ongoing support contracts, renewed licensing and sometimes a complete security audit and overhaul of systems and code. Usually this involves spending a lot of money and resources on projects that are not going to see any financial reward.

As I have already pointed out, the number of vulnerabilities that an administrator needs to track is an ever increasing variable, and usually the number of applications and systems within any organisation are also growing.

Security is a highly specialised field and most businesses leave it in the hands of a systems administrator who is struggling to fit every other business requirement into his or her work day.

While the police rush around proving that Anonymous is not really that anonymous, and every last teenager in LulzSec is arrested, we might breathe a huge sigh of relief and believe for a millisecond that the Internet is safe again. Unfortunately, this is such an untenable position that it seems futile arresting these kids. As long as businesses put security at the bottom of the list of priorities and see it as a financial sink, LulzSec and Anonymous will only prove to be the beginning of a growing problem at the heart of the Internet. — memeburn.com

Join the conversation!

24.com encourages commentary submitted via MyNews24. Contributions of 200 words or more will be considered for publication.

We reserve editorial discretion to decide what will be published.
Read our comments policy for guidelines on contributions.

24.com publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
0 comments
Comments have been closed for this article.

Inside News24

 
/Sport

Book flights

Compare, Book, Fly

Traffic Alerts
There are new stories on the homepage. Click here to see them.
 
English
Afrikaans
isiZulu

Hello 

Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.


Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.

Settings

Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.




Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.