Share this article

print logo

'Hacking 2.0' is vandalism with an element of danger

Over the past few weeks we have seen increased coverage in the media of hacking events. Hacking has not increased, but now it's communal and public. I call it "hacking 2.0" when social media such as Twitter, YouTube and blogs are used to broadcast plundered private data, advertise hacking accomplishments, engage an audience and, yes, even make money.

At the forefront of this new brand of hacking is a group known as LulzSec. We first heard of it in April when it brought down the Sony PlayStation Network. Shocked and angry gamers demanded answers, and in early May, Sony's leadership apologized and ended up at a congressional hearing. In a letter to Rep. Bono Mack they stated, "Sony has been the victim of a very carefully planned, very professional, highly sophisticated criminal cyber attack."

As an information security professional, this was pure schadenfreude. I even developed an Internet crush on LulzSec. Why? Because what Sony was referring to as a highly sophisticated criminal cyber attack turned out to be one of the most common ways to attack a website: It is referred to as a SQL injection. You may not know the acronym SQL -- structured query language -- but chances are high you have used the acronym TMI -- too much information. It probably happened when someone divulged so much personal information he made you feel uncomfortable.

Well, websites can suffer from the same malaise. Most websites have a database on their back end, which stores information. It could be user names and passwords, a list of products or a customer's contact information. In an SQL injection attack, the attacker enters information that the website is not well programmed to handle (e.g. instead of entering a user name, he enters an SQL query -- database speak). This leads to the website exposing TMI about the layout of the database behind it, which then allows an attacker to craft some more queries that could lead to the website "spilling its guts" and revealing gobs of sensitive data.

Yes, it's that simple. This is why I was not sympathetic to Sony's woes because frankly, a company with Sony's size and resources should have taken better steps to secure its systems.

However, like most puppy love, my Internet crush on LulzSec has faded fast. Since the Sony hacks -- yes, there have been several -- LulzSec has attacked PBS, Atlanta InfraGard (an FBI affiliate), the CIA's public website, the Arizona State Police among others, all for the laughs.

I counted 45 instances of data "releases" on its website from its hacking spree. These include downloadable files of people's user names and passwords, names, addresses and internal documents from law enforcement officials that could jeopardize their initiatives or even worse -- their lives.

At this point this is just vandalism, and there's nothing new about that.

***

Betsy Bevilacqua is the privacy and information security officer for a health solutions company in Western New York. The views expressed are her own.

There are no comments - be the first to comment