Lizard Squad reveals itself. What to learn from the attack?

Sky News has interviewed one of the members of Lizard Squad that explained the motivation of the recent cyber attacks. What to learn from the attack?

The Lizard Squad team is the hacking collective that ridiculed the IT giants Microsoft and Sony in the Christmas day, the popular hackers have brought down the Play Station Network and the Xbox live service affecting hundreds million users worldwide. The group has already hit the popular gaming platforms in the past obtaining the same results, their offensive capabilities are surprising and security teams at Sony and Microsoft failed to defend their platforms.

Who is Lizard Squad? How many people work behind this brand? Which are their motivations?

Sky News has interviewed one its members, his name is Ryan, he is a young man that explained that that attack was masterminded by two or three hackers that acted for fun. Ryan was interviewed from Finland, over Skype, with Sky’s Joe Tidy. Ryan said that Lizard Squad hacking team was a small group, which included members who were under the age of 20.

“We have massive capability to take down networks like this,” he said

Lesson 1: “Hacking” is an asymmetric war in which attackers with apparently limited resources could hit any target, even if it is an IT giant like Sony, Microsoft or a government entity.

Ryan explained that he has no regret about forcing “a couple of kids to spend their time with their families instead of playing games”. The guys hit the gaming platforms for fun, Ryan defined the attack a “sort of a game”.

Lesson 2: We need to change the approach to cyber security. Many experts consider only threats cybercriminals or state-sponsored hackers, someone among us considers dangerous to ignore the hacktivists, almost all people considered as Lizard Squad script kiddies … this approach is totally wrong.

“This attack was basically done by three people. We had a couple of people from outside the group helping with the attacks, helping us a little bit, but most of the traffic was coming from one or two people.”

“Asked why the team carried out the attack he said: “Mostly to raise awareness – to amuse ourselves.”

“Also one of the big aspects here was raising awareness regarding the low state of computer security at these companies.” “Because these companies make tens of millions every month from subscriber fees and that doesn’t even include purchases made by their customers.”

“They should have more than enough funding to be able to protect against these attacks.” “And if they can’t protect against the attacks on their core business networks then I don’t think they’re really doing that much on their overall level of security.” “And these customers are still giving these companies their credit card numbers and such.” 

Lesson 3: Security posture of the targeted companies must be completely reviewed.

What happened at Christmas highlights deep gaps in the security infrastructure of the victims. As claimed by Lizard Squad, companies though aware of the impending attack, failed to defend their core business. The thing is very serious if we consider the economic impact for companies, damage to the reputation and the damage caused to the users. The overall expense in cyber security made by the firm is a failure.

“It is sort of a game for us I have to admit. I completely understand that it’s a bit unethical.” “I’d be rather worried if those people didn’t have anything better to do than play games on their consoles on Christmas Eve and Christmas Day.” Ryan continued.

Lesson 4: Gaming platforms are a privileged target.

Sony and Microsoft have to be happy that Lizard Squad is a group of passionate in cyber security. Imagine a similar attack run by state-sponsored hackers, evidently the company are defenseless … and we cannot exclude that it is already happened. In my previous post on the hacking of gaming platform I wrote:

“Gaming platforms are considerable privileged targets for cybercriminals but also forstate-sponsored hackers. The first group of attackers is mainly attracted by possibility to steal sensitive information, in many cases including credit card numbers, or other commodities resell in the underground market. The second category of attackers is principally interested to exploit the gaming platforms for cyber espionage purposes or to use them to compose botnets to conduct cyber attacks.

The consoles include various functionalities that make them attractive, often they are equipped with a camera and microphone that could be exploited to control the environment, again majority of application includes communications capabilities, such as VOIP channels and game chat, that could be wiretapped for surveillance purposes.”

Do you still consider Lizard Squad a group of script kiddies?

Pierluigi Paganini

(Security Affairs –  Lizard Squad, Sony PlayStation Network, Xbox live)