SecurIT 2019: Hackers may be in it for Lulz, but CSOs are in it for their lives

Big businesses may spend more on security but their complexity makes them easier to hack, a former teenage hacker told an audience of big-business CSOs in opening up a day of insights at CSO Australia’s SecurIT conference this month.

More than 120 security executives attended the inaugural Melbourne event, which brought together a range of speakers from industry and end-user organisations to explore the threats facing organisations and their CSOs today.

Smaller organisations had fewer potentially vulnerable systems and more predictable IT environments that could be effectively secured and controlled – which makes them harder to compromise. However, a history of problematic strategic decisions, such as Sony’s controversial move to silently install rootkit-based digital rights management (DRM) on many of its CDs, had made the massive entertainment company “a classic hacker target,” former hacker Mustafa Al-Bassam said in opening the conference.

Sony’s efforts to combat online piracy and protect its multi-modal business had led hackers to poke and prod its systems – with great success, since the firm was bristling with major core systems and ephemeral web sites that were set up to promote movies and music, then left abandoned but online.

That broad exposure made Sony the “game of the year” among hackers that breached the company nearly two dozen times in 2011 – the year when Al-Bassam, who had joined hacktivist and anti-group Anonymous in 2010 to support its anti-copyright control campaign, co-founded the LulzSec splinter group.

LulzSec – which would eventually lead the 16 year old hacker to arrest and a suspended sentence that forced him off the Internet for 2 years – went on a hacking spree that included posting fake news, compromising Web sites, and leaking the personal details of more than 80m users of Sony’s PlayStation Network (PSN) gaming site.

Years later, Al-Bassam – now a PhD candidate who has left his hacking days in the rearview mirror – said LulzSec “wasn’t really a hacking group, but more of a comedy group, in my opinion.”

“The point of LulzSec wasn’t to show that we were expert hackers,” he told the audience. “It was to show that internal security was not strong. The question was ‘why are all these systems suddenly being exploited?’ and the answer is that they probably were being exploited before, and there probably were a bunch of hackers in the system before – but those hackers didn’t have any reason to tell the world about them.”

Poor visibility could cost you