Skip to main content

CIA, Senate hackers gleefully promise more

Doug Gross
Click to play
Hackers temporarily down CIA website
  • Lulz Security, or LulzSec, is a group claiming responsibility for recent high-profile hacks and attacks
  • Group breached Sony, U.S. Senate sites and launched attacks on the CIA
  • LulzSec is likely a spin-off group from WikiLeaks supporters "Anonymous"
  • The name is derived from "LOL," since members say it's all for a laugh

(CNN) -- They've breached or busted the websites of the CIA, PBS and the U.S. Senate, and launched at least part of an extended attack on Sony, whose PlayStation Network was brought to a grinding halt for the better part of a month.

And, to hear them tell it, it's all for a laugh.

Meet Lulz Security, or LulzSec, the gleeful and secretive band of hackers who appear to be responsible for a string of high-profile and sometimes embarrassing Internet attacks.

Their most recent strike, and arguably the most ambitious, was a distributed denial-of-service attack Wednesday that shut down the Central Intelligence Agency's website for a couple of hours.

A DDoS attack is fairly easy with the right software. But the group has also hacked into sites ranging from Sony Pictures to porn sites, often publishing the passwords and other personal information they find.

Instead of hiding in the dark shadows of the Internet, they are front-and-center on an active Twitter feed fueled with taunts, crude jokes and hints about future attacks.

For those who don't speak the language, "lulz" is an offshoot of "LOL," webspeak for laughing out loud. Think of it as a substitute for "just for a laugh."

"Lulz Security, where the entertainment is always at your expense, whether you realize it or not," read a recent post on the account. "Wrecking your infrastructures since 2011."

On Friday, on the occasion of their 1,000th tweet, the group posted a manifesto of sorts in which they said people, including their targets and advocates of Internet freedom, should be thankful.

"The main anti-LulzSec argument suggests that we're going to bring down more Internet laws by continuing our public shenanigans, and that our actions are causing clowns with pens to write new rules for you," the group wrote. "But what if we just hadn't released anything? What if we were silent? That would mean we would be secretly inside FBI affiliates right now, inside PBS, inside Sony... watching... abusing... ."

They seemed to suggest that by making their attacks public, they'll push websites to increase security. They said they're sitting on account information for 200,000 players of the online game Brink, but moments later said that releasing people's information is worth doing sometimes because it's fun.

"Yes, yes, there's always the argument that releasing everything in full is just as evil, what with accounts being stolen and abused, but welcome to 2011," they wrote. "This is the lulz lizard era, where we do things just because we find it entertaining."

Analysts said the group appears to be some sort of spin-off of "Anonymous," the loose coalition of hackers that grew to prominence through their support of whistle-blower site WikiLeaks.

But while Anonymous has its own set of moral codes and is largely politically motivated, LulzSec tends to be random.

For every hack like the one on PBS, which the group said came out of anger over a documentary about WikiLeaks, there's the cracking of porn site -- and a subsequent public list of members' e-mail addresses and passwords.

Breaches are often followed by cautionary notes: Some have even denigrated their own hacking abilities, saying the sites they targeted were incredibly easy to penetrate.

"These seem like they're probably some kids in the garage or something that are just having fun," said David Gorodyansky, CEO and co-founder of security software firm AnchorFree.

A request for comment sent to the group's Twitter account was not returned Thursday.

Click on the group's website and the theme song from "The Love Boat" plays over an image of what the group calls "The Lulz Boat." The logo is a cartoon dandy in top hat, monocle and handlebar mustache.

But if the attitude is lighthearted (They've even set up a request line with a 614 Columbus, Ohio, area code, to solicit future target suggestions), the consequences can be serious.

For example, on Thursday LulzSec posted what it said were 62,000 e-mails and their passwords, gleaned from unknown sources (Gizmodo has posted a tool to help discover if your account is one of them).

Afterward, they retweeted messages from several followers who bragged they'd gotten access to PayPal, Amazon, Facebook and other accounts from the list.

One follower claimed to have hacked into a woman's Facebook account and broken up with her boyfriend.

It's unclear whether LulzSec members played a role in the Sony PlayStation Network breach that compromised the information of 77 million users. But they've posted on their website what they claim is proprietary information from Sony Pictures and other Sony properties' websites.

After the U.S. Senate breach, LulzSec posted what it called a "just-for-kicks" release of some internal data.

"We don't like the US government very much," it wrote. "Their boats are weak, their lulz are low, and their sites aren't very secure. In an attempt to help them fix their issues, we've decided to donate additional lulz in the form of owning them some more!"

To help avoid such attacks, Gorodyansky suggested website owners make sure to encrypt them. Using Hypertext Transfer Protocol Secure (https), instead of the "http" that most sites use, makes data more difficult to obtain.

He also urged organizations, businesses and governments to make sure they are running the latest updates, or firmware, for their security tools.

"You may have the latest and most expensive equipment, but if you don't update the firmware as soon as it comes out, it's very easy for the hackers to exploit," he said.


Most popular Tech stories right now