Words of advice from a LulzSec attack survivor
How to respond to a serious security breach
By Robert Lemos | CSO | Published: 13:31, 13 June 2011
Between LulzSec's hacking of major organisations, such as Sony and PBS, the group found time to go after the four person startup Unveillance. On June 3, the vandals posted documents from Unveillance CEO's Karim Hijazi, as well as a recording of a conference call that they managed to join.
In this interview, Hijazi discusses the breach and what lessons he takes from the incident.
When did you first find out what had happened?
Related Articles on Techworld
Hijazi: We sensed something impending. There was a lot more activity based on the logs. We instituted some strong security measures that were really intense, meaning whitelisting the access to the environment entirely, which means that you had to be explicitly known to get in. And that completely stifled any effort to get in to the systems. And then I guess they started working on my email environment, because that was not hosted by me, but by Google. Yet, again they were able to solicit my work email and what they claimed to be my personal email as well.
My mistake was not using two factor. The facility was available. I'll be really honest, had I used that, it may have been a different story. The problem is that ultimately these guys were pretty adamant about trying to get in. There are a lot of accusations made here, but the reality is that they were extorting me, whether for money or for our botnet intelligence.
When did LulzSec first contact you?
We sensed some strange activity prior to the 25th of May, but the official first contact if you will happened late in the evening on the 25th at 3 am, so very early morning on the 26th of May. And it was an email that came in via a Hushmail address that was fairly ominous, that had in the subject line one of my passwords.
It got my attention, basically. It was a very innocuous first email, but scary enough to make me pay attention. It was, "Let us talk."
Any other signs, besides the log traffic, that something was going on?
The only reason I wasn't caught off guard was because earlier that evening, I could tell that my emails were going from "unread" to "read" and back to "unread." So, I knew something was up.
I went into Google's web interface and they have a facility to show which IPs had hit it, and that is when I discovered that the iPredator VPN had dinged my email. And so I knew something was up. It's a free VPN tool out of Sweden that is notoriously anonymous. The encrypted VPN helps them obfuscate themselves quite well. That is what spurred me on to change the passwords on my email and go through my security checklist right then.
What about their claims that they had discussions with your company over the sale of information?
On the morning on May 26th, when I could make some calls, I called US-CERT and the FBI. I didn't know it was (LulzSec) at the time, but the FBI probably had a better idea about that then I did. I asked the FBI if they had any suggestions. And their advice was basically that it's like any other ransom situation, you have to keep playing along so you don't get killed.
So that's what I was doing: I was trying to keep the piece and not be belligerent. I was not going to threaten them aimlessly. So the email exchange went to chat and that's when they started going down the path of extorting me. And I told them, I don't think you've done your research on my firm, I'm a startup and I don't have any money. I've self-funded this. So, they said we will settle for your bots, your botnet information.
And when that didn't happen, they started to get really belligerent. I don't know if I'm dealing with one silly hacker kid or a group. Then later that evening, they still tried to come back to negotiate. I had told them at one point, if you guys have skills then maybe do something good, maybe you can help. So they asked me exactly what I meant by that. They never really committed to anything, and I didn't either.
Do you think you were a random target?
They claim that the hack on the Atlanta Infragard was first, where they were able to SQL inject it and get the usernames and passwords. I find it very curious that they singled me out, out of every one at Infragard. It is very odd.
To this day, I'm still not sure what their motivation was to go after me. I'm a very small company and I'm very under the radar. We speculate that we may have taken bots from them in our efforts to sinkhole, but that is entirely speculation.
Are LulzSec and Anonymous similar threats?
Anonymous thinks that they have a motivation, from what they claim. LulzSec is like an unwieldy mercenary squad. Of course, some information indicates that these guys are the same group. But, the group is juvenile. Really juvenile. When I put a release out, they came back with name calling.
There was a protest element with Anonymous. This was just flat-out extortion. And greediness and silliness and anarchy. It is not a cause, it is really young kids playing around that have skills that are unfortunately misdirected.
What are the lessons for CSOs?
Companies do have to worry about these guys. There does not seem to be rhyme or reason for why they are picking certain things. Any average company sitting out there in the world should feel at risk. With our internal network we are fine. We are very confident with that. With our cloud based email solution. I would suggest to use all available means of security that are available to you, if you choose to go that route. Furthermore, one of the reasons I didn't use two factor is speed of business, it's a very tedious disciplined effort to use it.
Case in point: I now have to get an SMS to use my email. The last thing in the world I need is to get my email and I can't get phone reception, and I'm out of luck. There are a lot of elements there that are inconvenient, but now they are absolutely essential. Yes, I'm a true believer despite the slowness that comes with security.