The online vigilante groups Anonymous and LulzSec are weakening their cause with scattershot attacks and need to get more intelligent and focused, according to a panel of computer security experts at the DefCon hacker conference in Las Vegas.
“We have an opportunity to not just cause chaos, but to cause organized chaos,” said Josh Corman, research director at the analyst firm 451 Group, who said the groups are burying their message in noisy denial-of-service and SQL attacks. “I’m suggesting the actions in pursuit of their own goal compromise their goal. There’s a way to render more specific what they want to accomplish.”
The loosely affiliated groups have launched controversial denial-of-service attacks on PayPal and MasterCard, after the money services stopped processing donations for WikiLeaks, as well as PBS.com after they took issue with a PBS documentary about alleged WikiLeaks source Bradley Manning. They’ve also masterminded hacks of government contractors, and participated in hacks of Sony.
But Corman said the groups would be better off focusing their energy on more significant things like taking down child-exploitation sites.
“That’s something we can all get behind,” Corman said.
Another panelist, unimpressed with Anonymous’s recent hack of defense contractor ManTech International, said the groups should focus on finding evidence of corrupt governments and exposing things like the Collateral Murder video that WikiLeaks published in 2010, which showed an Army gunship opening fire on a group of civilians in Iraq.
“If you’re going to do this, then find the real dirt,” said the panelist, who initially appeared on stage in disguise, wearing sunglasses and a scarf to cover his head and the lower half of his face. After audience members called for him to reveal himself, he removed the disguise and identified himself as security blogger Krypt3ia.
The disguise highlighted the fact that many security people fear speaking out publicly against Anonymous and LulzSec after Anonymous hacked the network of HBGary Federal and exposed thousands of emails from the company’s then-CEO Aaron Barr. Anonymous targeted the company after Barr was quoted in a news article asserting that he knew the identities of some Anonymous members and would be providing the information to the FBI.
Barr and his company faced intense scrutiny after his exposed emails revealed that they were involved in a shady undercover operation to discredit WikiLeaks and some of the people who support the group and Barr was eventually fired, in an effort by the company to distance itself from the controversial plan.
Barr was scheduled to appear on the DefCon panel but withdrew after HBGary threatened to sue him and his current employer if he spoke about the hack and his company’s anti-WikiLeaks project.
Corman said that in the company’s effort to suppress discussion of the issue, it had “put a big target on themselves.”
“I’ve had people come up to me saying guess who my next target is? HB Gary,” he said.
The provocative panel, moderated by Paul Roberts, editor of the ThreatPost security blog, also included Jericho, a founding member of Attrition.org, a computer security site that specializes in exposing investigating and exposing industry frauds.
The panel discussion touched on the ethics of Barr’s activities, but focused primarily on the activities of Anonymous and LulzSec.
Krypt3ia accused the groups of not having real goals but of simply wanting “to smash things” and then coming up with a cause for their hacks afterward to defend their actions. He noted that due to the nebulous nature of Anonymous and LulzSec that allows any hacker to claim he’s a member of the groups, corporate spies and nation-state actors can now hide their activities under the umbrella of Anonymous to draw suspicion away from them.
Jericho called on the community to “build a better anonymous” to create one that wouldn’t cause as much collateral damage from its actions and could have a beneficial effect on the security industry. He suggested that Anonymous and LulzSec might have a role to play in improving computer security by hacking companies that fail to secure their systems despite repeated warnings that they’re vulnerable.
If companies don’t do the security they need to do “why not force them to get it,” he said. “You’re not learning your lessons, so maybe it is time for Anonymous or LulzSec to come in . . . and wake them up.”
Another fair target he said would be companies that sue researchers who uncover vulnerabilities in their systems or products. Sony, which has experienced ongoing hacks over the last months, was initially hacked over the company’s choice to sue SonyPlaystation 3 tinkerer George Hotz.