SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

LulzSec: Why You Should Care

Updating Resume is NOT Lulz

Wow, it’s been a crazy last couple of months with LulzSec running around doing what they do. Oh, what’s that? You’ve never heard of them? Well for many outside of IT this is probably the case. For those of us who ARE in IT have more than likely heard of them as well as their high-profile hacking exploits over the last couple of months.

This weekend TechCrunch posted a pretty good discussion piece on how the media has handled LulzSec’s exploits. To summarize in my own words, the author states that the general media cowered in the coverage of what this group was doing by hacking and leaking info of high profile targets such as the CIA (website), AT&T (internal data leaked) and Arizona Department of Public Safety (internal documents and sensitive information leaked). Carr goes on to say that rather than report on the seriousness of the group’s crimes and activities media would rather cheerlead them due to fear of retaliation from the group itself.

So what does this have to do with SQL Server? Well, if anything, I hope this rash of high-visibility targets has raised your awareness about something that far too many people slack in: Security. When was the last time you did a true security audit of your database servers? Are your web applications authenticating with the sa account (read also: “God” rights)? Are they authenticating with Windows accounts that are backed by stringent and contained groups via Active Directory? If you’re not certain of any of those questions I highly suggest you take a look at Brian Kelley’s (Blog | Twitter) SQL University Security Week posts from this past semester and start to at least formulate some kind of plan.

Security shouldn’t be an afterthought, it should be a base. As data professionals we hold are tasked with protecting the most vital piece of any organization: its data. Do you want to answer to your supervisor, manager and Executives when someone walks away with sensitive information from YOUR databases? Do yourself a favor and if you’re not already discussing security in your offices, start it. How do you handle security in your organization? Afterthought? Hardcore? What’s security? Let me hear your thoughts in the comments.


Posted by roger.plowman on 1 July 2011

Web security is a myth. As in--there is no such thing. It's in the same category as Santa Claus and the Easter Bunny. Or unicorns.

There are lots of reasons for the lack of security. The primary one, of course, is the standard Defender's Dilemma: The defenders have to be lucky *every single time*, the attacker only has to be lucky *once*.

Couple that with the Byzantine complexity of how the internet works, databases talking to web services talking to browsers--any one of which can be compromised with a single error in coding, and then add in clueless upper management who wants the entire thing put in place in a *week* (if you're lucky). Then mix scaling issues in. Oh, and cost must be minimized and ROI maximized...

The perfect storm.

LulzSec are criminals, yes. But they did what no one else in 40 years has ever done--made the public aware of just how much of a house of cards the internet is. Did it suck for the people impacted? Of course it did.

But this clue-by-four had nails in it, and LulzSec just whacked the public in the groin. Nobody's ignoring the problem anymore, now are they?

Fixing it--well, that's a whole 'nother kettle of worms...

Oh, and the media aren't cowards. :) They're *jackels*, hyping the (horrific) new even further, to make *money* from it. By their nature they're on whoever's side that makes the most exciting news, because that's what sells newspapers!

Posted by Jorge Segarra on 1 July 2011

Roger, I will have to respectfully disagree with you. Web security isn't a myth, it's just not easy to fully implement. We live in a "want it now" culture so many times projects get rushed through and something like security, which would surely impact the ease/speed of developing and delivering, becomes an afterthought if it ever enters the picture at all.

While I don't condone the actions of LulzSec I am glad that they put a spotlight on this since nothing short of public hacks/leaks seems to get the attention of decision makers. We, the ones in the trenches, can kick and scream about stuff like security, proper schemas, permissions, etc. but until something like this happens then it doesn't seem to become a pressing concern.

Posted by Spend for it on 1 July 2011

Web security can absolutely be had; however, the more security, the longer it takes, the more it costs, the more skilled your developers and internal penetration testers have to be, the more cumbersome your processes become... and the less you can use practices, code, and tools that most companies use.

Trying to have a very secure Web site running on commodity software on a commodity operating system is very difficult; any time a patch affects you, you have already been vulnerable for some amount of time.

Trying to have a very secure Web site on specialized security software is both very difficult, and very limited; most of the "cool" things other sites do require additional code... additional code means additional opportunity for security flaws.

Posted by Rob Sullivan on 1 July 2011

What I find fascinating about security... specifically web security... black hats automate so much. The Metasploit framework and BackTrack are both amazing tools that can quickly and easily exploit a range of low hanging fruit. With that in mind, I never see companies doing the same basic low level scans of their own stuff and I think that is where a lot of the breakdown comes in. Ignorance can be very expensive.

Lastly, while I certainly don't condone the actions of Lulzsec, I do appreciate how much they publicized it as opposed to how much this happens where users are not aware.

Posted by TechnoPeasant on 1 July 2011

One of the best ways to improve anything is thru transparency. Good or bad. For better or worse.

In this regard only I dont condem what LulzSec has done.

Given the state of things their actions would inevitably have been performed by someone. Oh wait! They've done nothing new!

Ignorance is niether an excuse or bliss.

The 'net is supposed to bring an end to it anyway.

Posted by Jorge Segarra on 1 July 2011

@DataChomp, good point. The black hats have lots of automated tricks up their sleeves (thus the proliferation of "script kiddies") so the sysadmins/white hats are always playing catch up or defense. I think it was either Mitnick or Llamo that said the only true secure system (from external threats anyways) is the one you unplug the network cable from. It's a cat and mouse game but it helps in building a really intricate maze to keep that pesky cat at bay ;-)

Posted by DataChomp on 1 July 2011

I agree that the SadMins are always playing catchup and I am completely on board with what Bill said. As sysadmins we pretty much always have to stay tight lipped and bunkered down... black hats are completely open and agile with each other which lets them move at an incredibly fast pace.  That is actually why I love when SSC does some of these security type of posts.  While I am pretty sure our corporate culture will never allow us to move as fast as the opposition we certainly need to keep trying.

Though, it is likely the people who don't read resources like SSC and the stuff that are part of the problem.

Leave a Comment

Please register or log in to leave a comment.