It has been reported that Paul Ducklin, Head of Technology for Sophos, referred to the Lulz Security (LulzSec) hackers as “schoolboys.” He added that most of the break-ins were “languorously orchestrated, using nothing more sophisticated than entry-level automatic web database bug-finding tools, available for free online.” So are schoolboys hacking sites designed by preschoolers?
In 2011 LulzSec has been credited with the successful cyber attacks into Sony, Nintendo, PBS, Black & Berg Cybersecurity Consulting, Pron.com, the Bethesda Game Studios network, Minecraft, League of Legends, The Escapist, FinFisher, MediaFire, InfraGard, the U.S. Senate and the U.S. Central Intelligence Agency.
So if entry-level tools were used, what does that say about the level of security skills of the people who built and manage the CIA’s website? When terrorists and unfriendly governments attack the CIA with far more sophisticated means, does that mean they are going completely undetected? So who is Ducklin really insulting: the CIA or LulzSec?
When Troy Hunt, Australian software architect, analyzed the nearly 40,000 Sony passwords stolen by LulzSec found that of the multiple accounts with the same user name (e-mail address) 92% used the same password.
I have known different IT security people and they are not dumb. While I hate hackers that destroy people’s lives with the attack, I also acknowledge that some have amazing programming talents.
So what can be done to help protect company data?
- Train employees on security.
- Don’t open emails attachments from people you don’t know. They are the source of malware.
- Every site must have its own unique User name and password. Plus have a complex user name and password.
- Get a two-factor password manager like Power LogOn.
