Rather than condemnation, SecurEnvoy has said that cyber break-ins and advanced malware incidents, such as the recent DDoS attack by LulzSec, should actually be welcomed and their initiators applauded.
Explaining this sentiment, Andy Kemshall - CTO and co-founder of SecurEnvoy, said, “I firmly believe that the media attention LulzSec’s DDoS attack has recently received is deserving. It’s thanks to these guys, who’re exposing the blasé attitudes of government and businesses without any personal financial gain, that will make a difference in the long term to the security being put in place to protect our own personal data!”
Andy continues, “While many are claiming the attack is a bad thing what they’re forgetting is, at the end of the day, it comes down to a fundamental failing on the part of the organisation that allows these criminals in. If they didn’t leave their networks unlocked there wouldn’t be a problem. For example, we visited a local authority last week offering to secure data access while it’s waiting for its SecurID tokens to be replaced by RSA.
We were astounded to find that the organisation was actually pretty blasé and said they didn’t feel there was a huge risk. This is naïve as, not only is there proof that the tokens are insecure as another organisation has been hacked, but why else would RSA go to the expense of replacing them if there wasn’t a problem?”
Talking more specifically about the insecurities surrounding RSA tokens, Andy adds, “Hackers are exposing the holes and bringing the issue out into the open. RSA unbelievably took three months to come clean about their breach and if hackers hadn’t exposed them, through the Lockheed Martin story, would they have come clean at all? The cynic in me thinks not.”
While some believe time and effort should be spent deactivating hacker groups, like LulzSec and Anonymous, Andy believes there is much to be learnt from their expertise and raw talent. Andy clarifies, “These techies are up to speed and are useful to the industry – we need them! What people choose to ignore is many of today’s experts are ex-hackers themselves so Anonymous and LulzSec are actually tomorrow’s authority. They offer fresh ideas and they’re exposing new vulnerabilities that the ‘good guys’ may not yet have seen or even considered. The simple truth is that we’re going to need their expertise if we’re to defend ourselves against other countries and those malicious hackers who are out for financial gain. Instead of persecuting them, we need to recognise their talent, embrace their expertise and encourage them across from the dark side to turn their expertise into something constructive rather than destructive.”
At present it would appear that LulzSec and Anonymous are working on their own initiatives. Andy speculates on the power that could be harnessed by getting these organisations to actually work together, “At the moment, you’ve got these ‘gangs’, for want of a better term, getting massive exposure with what would appear to be very little financial backing or leadership – it goes against the norm as they are doing it for the common course. I think these guys are extremely clever to be able to operate with zero budgets and get the huge amount of coverage they’ve achieved to date in comparison to the vast PR machines of the FTSE 100 companies.
By combining their services you’d create a considerably formidable force whose strength could be used for good, for example to bring down terrorism and the ill-forces operating with the confines of the Internet. We should be nurturing this IT talent and growing it for the good of the general public.” Andy concludes, “Organisations are still too blasé about security. These are people we trust to look after our details, but they don’t seem to be taking this honour too seriously. We need people like LulzSec and Anonymous, and I personally am standing up and saying thank you to these guys, as they are making businesses and government sit up and take action or naming and shaming them so at least I can have an informed opinion of who I can trust.”