LulzSec playing dangerous games with Nintendo, Sony hacks

The unpredictable motivation of hacking group LulzSec, who have claimed responsiblity for the recent attacks on Sony and Nintendo, means no one is safe, security experts have said.

LulzSec has even gone as far as releasing a statement in regards to the Sony attack.

"Our goal here is not to come across as master hackers, hence what we're about to reveal: SonyPictures.com was owned by a very simple SQL [structured query language] injection, one of the most primitive and common vulnerabilities, as we should all know by now," the group wrote.

Sophos Asia Pacific head of technology, Paul Ducklin, told Computerworld Australia that LulzSec's motivation for was because the group did not agree with the views of Sony, but their attempt to hack a server of an affiliate of Nintendo Co's US unit was less clear.

"They claim to say they love Nintendo and they hack for them," Ducklin said.

"They've got a little bit up themselves with this hacking, so who can say who will be next?

"Cybercriminals generally don't care. They will go after anyone who is vulnerable and the weaker you are, the more likely they are to do something bad to you."

He added that although Nintendo reassured customers no data was stolen, when it comes to data breaches, determining the extent of the damage can be a difficult task.

"Sony found that out when it took them several days to find out what had occurred when the network went down," Ducklin said.

"The other problem is when data gets stolen, the original copy that remains, so it's not always obvious what has been duplicated.

"In this case with Nintendo, they seem pretty confident that no data was stolen.

"If you're an Australian customer, you have to decide for yourself if you believe them or not."

Ducklin has also warned that LulzSec now had a taste for hacking anyone they could get their hands on.

"These are just adults who need to grow up and stop acting like kids," he said.

"They better well hope that the cops don't get hold of them or they will be in deep water."

The security breaches was a wake-up call for anyone who deemed themselves not important enough to be a victim of cybercrime, Ducklin said.

"They [hackers] prefer a high profile scalp because they are more likely to get information which they can sell for money," he said.

"But if with no additional effort they manage to hack you, then that's all grist to the mill."

Page Break

He added that the hacking group had no "special skills" required for their online attacks, with their hacking tools freely available for download on the internet.

M86 Asia Pacific vice president, Jeremy Hulse, said there was a high possibility that the Nintendo hack was a pre-emptive strike on the company.

"They distract companies with a DDoS [distributed denial-of-service attack] and while that is going on they will be doing something else," he said.

"People have to judge the risks because anyone can be hacked. The thing to be mindful as a user is how much detail you are putting at risk.

"Personally, I would say don't use a credit card that exposes all of your savings. These sites should also be applying new levels of security because this is not a one-off."

Hulse echoed Ducklin's view of LulzSec, and said they were one of the few hacking groups who were attention seekers.

"The more serious risk in my book is the groups doing it for monetary gain and they're not going to be openly talking about it," he said.

Microsoft's Xbox Live Service, which was rumoured to be the next LulzSec target, responded in a statement.

“The security around our Xbox Live service and member information is our highest priority," a spokesman said.

"Other than that, we have no comment."

Nintendo Australia was contacted for comment by Computerworld Australia but did not respond at time of writing.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU