SecurEnvoy Co-Founder Applauds LulzSec Attacks
One security firm is applauding LulzSec for pointing out that organizations are still too "blasé" about security.
The chief technology officer and co-founder of British security firm SecurEnvoy said on Wednesday that LulzSec should be applauded by their recent DDoS attacks on government, gaming, banking and other organizations online. The sentiment echos a report provided by Impervia on Wednesday saying that enterprise security continues to ignore two common vulnerabilities that LulzSec infiltrated: SQL Injection and Cross Site Scripting.
"I firmly believe that the media attention LulzSec’s DDoS attack has recently received is deserving," SecurEnvoy CTO Andy Kemshall said. "It’s thanks to these guys, who’re exposing the blasé attitudes of government and businesses without any personal financial gain, that will make a difference in the long term to the security being put in place to protect our own personal data!"
According to Kemshall, if organizations didn't leave their networks unlocked for criminals to waltz right on in, there wouldn't be a problem in the first place. Sure, the long batch of LulzSec attacks were a "bad thing," but instead of spending time and resources on deactivating these hacker groups, governments, organizations and security firms should spend their time examining their "expertise and raw talent."
"These techies are up to speed and are useful to the industry – we need them," he admitted. "What people choose to ignore is many of today’s experts are ex-hackers themselves so Anonymous and LulzSec are actually tomorrow’s authority. They offer fresh ideas and they’re exposing new vulnerabilities that the ‘good guys’ may not yet have seen or even considered. The simple truth is that we’re going to need their expertise if we’re to defend ourselves against other countries and those malicious hackers who are out for financial gain. Instead of persecuting them, we need to recognize their talent, embrace their expertise and encourage them across from the dark side to turn their expertise into something constructive rather than destructive."
Referring to Anonymous and LulzSec as cyber "gangs," he thinks it's extremely clever to be able to operate with zero budgets and get the huge amount of coverage these groups have achieved to date in comparison to the vast PR machines of the FTSE 100 companies. "By combining their services you’d create a considerably formidable force whose strength could be used for good, for example to bring down terrorism and the ill-forces operating with the confines of the Internet," he added. "We should be nurturing this IT talent and growing it for the good of the general public."
Kemshall concluded his statement by saying that organizations are still too blasé about security, that they don't seem to be taking the "honor" of securing our details seriously. "We need people like LulzSec and Anonymous, and I personally am standing up and saying thank you to these guys, as they are making businesses and government sit up and take action or naming and shaming them so at least I can have an informed opinion of who I can trust," he said.
- Report: LulzSec Used SQL Injection, XSS and RFI
- 'Nexus Prime' to Be Ice Cream Sandwich Phone?
- Sony Sued for Negligence Over PS3 Hack
- Office 365 Launches Microsoft Against Google
- Groupon Leaks Indian User Database to the Web
- Hands-on with COD Black Ops Annihilation DLC
- Facebook Valued at $70 Billion
- Google: No Content Data Requests From China
- Your Custom Color Flower is Now Ready
- Cell Phones Have Become The Modern Tamagotchi
- This 8-inch PMP Offers Glasses-Free 3D for $179
- Solar Powered 3D Printer Uses Sand to Print
- Prof. Advises Counterstrikes Against Cyberattacks
- Tag Heuer Makes $6,700 Smartphone
- Puma Goes Green With Biodegradable Bags
- See The Greatest Rube Goldberg Machine Ever
- Researchers to Create Dolphin Translator
- Futuristic Trike Tackles Roughest Terrains
- Report: RIM Ditches New PlayBook for New 'Superphone'
well said.
Good Point. But wonder if he will have the same opinion if his company web site was hacked by LulzSec or Anonymous.
Good Point. But wonder if he will have the same opinion if his company web site was hacked by LulzSec or Anonymous.
He would be shutting up, being a security firm CTO. Still I agree with what he's saying but and puts a new point in the face of all the hacker haters in this forum.
he is Happy because he is getting more business because of them DUH.
Except that it's a lot easier to exploit a vulnerability than it is to fix it. Just because they exploited vulnerabilities doesn't mean they know a damn thing about how to prevent them. Learning to fire a weapon is a lot easier than building an impenetrable fortress.
I know this guy is trying to spin this into a wake-up call for security, but looking to the attackers for help/answers probably isn't the best place to start. Just because they brought this into the public spotlight doesn't excuse the fact they did so in a criminal manner, so exonerating them is simply out of the question. The ends do not always justify the means.
raz, that is inacuret, most of these people build there own tools (im not saying they did or didnt)
but that is not a very fair comparason
firstly how do you know that there is a problem? you try to break into it and then you know what to fix
Just because they brought this into the public spotlight doesn't excuse the fact they did so in a criminal manner....
Just because you think its not legal, and its not legal where you are from, doesn't mean its not legal.
Look up article 83 of the Iranian penal code. The penalty for Adultery is to be buried up to your neck and stoned, if you can escape from being buried to your neck without outside assistance before someone kills you, then your crimes are forgiven.
Not saying what lulsec did was right, but there are way bigger problems in the world than finding a few hackers to crucify. I think this guy is spot on, just ignore them, and fix your $h!t.
As with most statemnts primarely aimed at helping yourself he has a couple points right and most wrong.
1) Companies are still ignoring security.... Right
2) LulzSec Got lots of PR with low budget... Right
3) They did it without personal or financial gain... Wrong, or at best partially wrong... Known is that someone made money (and LulzSec cant show it is not them) out of this.
4) We need them as security guards since they know how to "waltz into an open network"... Wrong. Just because I can make an IDE and blow up a school full of kids does not make me into an expert in how to secure kids from any possible harm anywhere in the world. With that logic we should embrace all terrorists and employ them as security guards, because they show the flaws in our society. Don't think so...
He will at least make loads of PR for almost no money by stating what he did and we are all helping him.
As an old hacker from the late '70s and early '80s having done the "been there done that" to most institutions who thought they were inpenetrable, (it was easier and harder then, but if you were not there then you probably don't know) I can understand the breaking in and leaving tags but not the taking information out of there. Even an infintile can understand that if you can break into SOE and leave "kilroy was here" tags, you could grab any info you wanted. Taking the info was crossing the ethical line of a hacker.
How is stealing peoples accounts/credit cards etc
Not saying what lulsec did was right, but there are way bigger problems in the world than finding a few hackers to crucify. I think this guy is spot on, just ignore them, and fix your $h!t.
Regardless, what they did is sabotage websites and exploit peoples personal information, account info, credit card info etc. They should be punished for what they did, perhaps a plea bargain could be used to reduce their sentences.
wow, it's like saying we should thank the criminals for making us realize the police and the citizens are not doing enough to secure themselves from criminal elements
Except that it's a lot easier to exploit a vulnerability than it is to fix it. Just because they exploited vulnerabilities doesn't mean they know a damn thing about how to prevent them. Learning to fire a weapon is a lot easier than building an impenetrable fortress.I know this guy is trying to spin this into a wake-up call for security, but looking to the attackers for help/answers probably isn't the best place to start. Just because they brought this into the public spotlight doesn't excuse the fact they did so in a criminal manner, so exonerating them is simply out of the question. The ends do not always justify the means.
You are dumb. If it's so easy to break security then why haven't all the security holes been found?
The thing people are forgetting here is DDoS is overwhelming the networking interfaces, either the interfaces at the server, at the firewall and/or IDS, or at the router connecting the system to the internet. Taking down a site with a DDoS isn't as hard at this guy is making it out to be, you need to have the systems tossing the packets at the target. What allowed this was the exploit of all the AMP (Apache-MySQL-PHP) servers out there that are open to SQL injection, CSS, and RFI attacks. SQL injection is easy to defend against if you just take fifteen minutes when setting up your webserver and properly secure SQL and PHP (which most people don't). This CTO should be preaching to everyone that has set up an AMP webserver and didn't secure it properly, not the people on the other end of the DDoS attacks.
How is stealing peoples accounts/credit cards etcRegardless, what they did is sabotage websites and exploit peoples personal information, account info, credit card info etc. They should be punished for what they did, perhaps a plea bargain could be used to reduce their sentences.
a plea bargain???
What the hell?
Did they catch anyone?
And out of all the info compromised.
Name me one person that got defrauded using information leaked by Anonymous or LulzSec.
You sir, may need to get your facts straight. Or any fact at all.
You are dumb. If it's so easy to break security then why haven't all the security holes been found?
LMAO. I never claimed securing systems was easy. What I said was it's easier to exploit a known vulnerability than it is fix it. The source quoted within the article said these guys attacked well-known vulnerabilities, so obviously it's easier to exploit them than it is to fix them. Otherwise, they wouldn't be well-known vulnerabilities, would they?
you people REALLY don't know how coding works, do you?
if they are script kiddies, than yea, they have nothing of value. if they wrote the code, than they know the exploit, and know a way it can be patched.
think of it more like knowing how to open a safe without destroying the inside. if you know how to do that, than you also know how to make it harder to crack open.
More proof this has nothing to do with antisec, lulzsec use basic high level exploits made available through full disclosure (so they rely on the security industry) and help the security industry. That is pretty much the exact opposite of antisec.
People are blowing this out of proportion,it's not as if they are running around with an unknown remote apache exploit like el8 were when antisec started. They fumble with SQL injection using tools like Havij, which is pretty much the definition of a script kiddy.
There are real hackers out there, but these aren't them.
Stealing personal information and distributing it online is not raising awareness of security.
This security firm is probably a joke.
This guy needs his head checked!!! Just because I accidentally leave my house unlocked dones't mean you are invited in. It is still criminal trespassing either way. Locking the doors keeps the honest people out.
While I agree with what he is saying, he's not exactly coming from a neutral standpoint. He works for a security company that benefits from acts committed by hackers (on non client systems).
This guy needs his head checked!!! Just because I accidentally leave my house unlocked dones't mean you are invited in. It is still criminal trespassing either way. Locking the doors keeps the honest people out.
Sorry, but physical analogies to digital events don't work. Just like pirating a movie isn't equivalent to stealing a physical copy. Also, 'locking the doors' in the digital sense doesn't keep honest people out.
LulzSec really should that security in many companies and government is vulnerable.
Finally, someone who encourages a view of self responsibility for tech companies.
@bluekoala
People have already canceled credit cards under suspicious activity after the Sony attack. The fact is whether it be Anon, LulzSec or the countless other people who now have access to peoples personal info (LulSec published some of this info already to others).
People are still trying to hunt down these criminals. If and when they get caught, they 'could' get plea bargains if they rat out others in the group. Law enforcement won't simply stop looking for these people cause they tweet that their stopping.
You sir need to get your facts straight.
Sorry, but analogs of digital events to physical ARE in fact accurate. Both cost money, time, resources to fix. Both have real costs. Stealing movies is EXACTLY THE SAME if you pirate online or shoplift it, hacking into someone's private property and stealing information is REALLY THEFT!
Both "real" and "digital" crimes hurt people - financially, psychologically and physically.. Only sociopaths deliberately hurt people. Therefore - hackers and pirates are in fact sociopaths and belong in the same prison.
Sorry, but analogs of digital events to physical ARE in fact accurate. Both cost money, time, resources to fix. Both have real costs. Stealing movies is EXACTLY THE SAME if you pirate online or shoplift it, hacking into someone's private property and stealing information is REALLY THEFT!
Both "real" and "digital" crimes hurt people - financially, psychologically and physically.. Only sociopaths deliberately hurt people. Therefore - hackers and pirates are in fact sociopaths and belong in the same prison.