Although many people have started to become aware of cybercrime with high profile targets in the news such as RSA, HBGary, and Verizon, a hacking group known as LulzSec has continued down the path of destruction by leaking personal information, defacing websites, and leaving users conscious that they could be the next victims. No matter the size of the corporation, LulzSec targets whomever they feel like wreaking havoc against just for the sake of getting a few chuckles (hence the name “lulz” meaning “lol” or laughing out loud). To date, LulzSec has taken down many high profile websites, such as PBS, Sony, US Senate, FBI, CIA, and various gaming sites. It’s reached the point where they have acquired approximately 200,000 followers on Twitter and are growing daily. Moreover, they continue to taunt people and organizations via their Twitter account, releasing Personal Identifiable Information (PII) on a regular basis. Their release of Sony’s internal network infrastructure, along with a database dump including over a million users’ PII, comes to mind. Another major instance occurred when 62,000 users’ personal information was leaked, including username and passwords that could easily be applied to other accounts those users may have created elsewhere, such as Amazon, Facebook, PayPal, and alternate emails accounts.

As more people follow the LulzSec group, major media stations are bound to jump on board, which may actually give the good guys a fighting chance at finding LulzSec. There are three main issues, however, that prevent the group from being identified. The first is that no one knows how large of a group LulzSec is, while the second issue stems from international laws and poor cooperation between opposing countries. Finally, the technology LulzSec uses to hide their tracks, such as anonymous VPN servers with no logs, proxy servers, and encrypting their network traffic through SSL, adds to the difficulty of tracking down members. LulzSec has gotten so good at hiding their tracks online that they have reached out to the Internet via Twitter and set up a hotline for requests on who to take down next. The result is a giant “game” that everyone can participate in, which once included a post on Twitter indicating that LulzSec would give away $1000 to anyone who guessed the correct word of the day (unfortunately, no one won the money).

In closing, it’s becoming more evident that security needs to play a major role in all organizations, especially any company that stores PII. Granted, security may come at a cost, but this cost should be worth it to any business that does not want to risk a data breach that results in the loss of a large number of customers. Now is the time to educate users on security best practices such as using strong passwords and not opening any suspicious attachments. Organizations should also put the proper mechanisms in place to provide a layered approach for combating these attacks by using encryption, creating secure code, and segmenting PII from any public facing website.  The combination of these measures should slow down the LulzSec ship and keep personal data private.

GraVoc Associates, Inc. is committed to providing solutions to customers with the use of technology through its practices of information technology & professional services, media production, information systems, and information security.  Our information security practice provides IT assurance, consulting, and audit solutions that will help businesses secure confidential data from malicious parties both from the outside and the inside.  For more information regarding GraVoc’s services, please visit