Hackers Take Down CIA Website; Security Breach Points to LulzSec DDoS

Jay Decenella, IT audit expert
June 16, 2011 /

In what might be a blowout of cyber attacks on government and organization Web sites this month, the Central Intelligence Agency (CIA) became the latest victim of hacker group Lulz Security (LulzSec) in a security breach that did not fortunately compromise personal details.

LulzSec took credit on Wednesday for taking down the CIA’s Web site for hours. In an alert posted on Twitter, LulzSec boasted of the breach, saying “Tango down — cia.gov — for the lulz.”

The site was back in less than three hours after the Tweet. As in the case of the rest of the sites that LulzSec attacked before, the CIA Web site was taken down using distributed denial of service (DDoS) attack, which would overload a site’s server with requests for access.

At the same time, LulzSec also successfully hacked into the gaming site EVE Online, a popular sci-fi multiplayer online game. The attack took the site offline for a couple of hours.

LulzSec has been known to attack Web sites only to highlight weaknesses than to cause damage.

“While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are – in the worst cases – having their personal data exposed,” Sophos senior technology consultant Graham Cluley said.

“There are responsible ways to inform a business that its website is insecure, or it has not properly protected its data – you don’t have to put innocent people at risk. What’s disturbing is that so many internet users appear to support LulzSec as it continues to recklessly break the law.”

LulzSec, for instance, has more than 158,000 followers on Twitter.

CIA spokeswoman Marie Harf said the agency is “looking into these reports.”

Experts said the fact that hackers could penetrate Web sites and harvest system administrators’ credentials underscores the poor security of most sites.

Cluley said that although the security breach into CIA Web site did not compromise personal details of individuals, the case should not be taken as “harmless.”

“The CIA website is a primary method through which the agency communicates with the rest of the world, and it’s not going to take kindly to being forced offline by hackers.

“In case anyone’s in any doubt, a denial of service attack, like that which appears to have hit the CIA website, is against the law.

“With this new attack against the CIA website, you have to ask yourself if LulzSec has finally bitten off more than it can chew. After all, they’ve just poked a very grizzly bear with a pointy stick. LulzSec’s cockiness may be their undoing.”

The security breach came after previous string of attacks that have been launched against the Web sites of PBS, the U.S. Senate and the Atlanta chapter of InfraGard, a public-private partnership between the FBI and the private sector that shares information and intelligence to prevent hostile acts against the United States.

In the case of InfraGard, LulzSec published details on users and associates of the non-profit organization, including 180 user names, hashed passwords, plain text passwords, real names and email addresses.

On the other hand, the attack on the Senate site has resulted in the exposure of user names and passwords of system administrators, though the security breach did not involve highly confidential data.

Last month, the PBS site was broken into and used by LulzSec to post a sham article purporting that Tupac Shakur, who died in 1996, was alive and living in New Zealand. The attack was launched following a PBS’s documentary on WikiLeaks that LulzSec considered as unfair.

Earlier this month, the International Monetary Fund admitted to an attack that compromised some of its systems and exposed internal data to unauthorized parties.

 

Share your opinion