June 21, 2011 -- A 19-year-old man alleged to have hacked into companies and intelligence agencies around the world was arrested Tuesday in Wickford, England by Scotland Yard and the FBI, according to British police.
The police would not confirm whether the suspect was connected to a hacking group called Lulz Security, but the arrest took place days after LulzSec took credit online for bringing down the CIA's website, the most recent major security breach the group allegedly accomplished.
"Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts?" said LulzSec in a letter posted Friday. "You are a peon to these people. A toy. A string of characters with a value."
The CIA breach was just one in a string of high-profile hack attacks by loosely-organized shadow groups such as Lulzsec and Anonymous, including the websites of Sega,SonyCitibank and the U.S. Senate. Their websites have all been hit by hackers now. In Sega's case, the firm said over the weekend the attackers got access to account information for 1.3 million users.
Will today's arrest make a difference? LulzSec, which has attracted more than 200,000 followers on Twitter, put up a post today: "Seems the glorious leader of LulzSec got arrested, it's all over now... wait... we're all still here! Which poor bastard did they take down?" LulzSec, which often tweaks the corporations and governments it claims to have victimized, calls itself "the world's leaders in high-quality entertainment at your expense."
Hacking -- once seen as the pastime of geeky teenagers who didn't have better things to do with their technological skills -- has apparently ballooned in just the last few weeks or months. Google's Gmail service was attacked from somewhere in China. There have been debates over whether cyber attacks from other countries qualify as acts of war.
Security consultants said you, the regular Internet user, are probably safe if you take standard precautions, such as deleting emails from strangers and changing your passwords regularly. Most firms that handle sensitive data, such as credit card numbers, try to stay a step ahead of the intruders. But it's full-time work.
"According to the Senate's Sergeant at Arms, the computer systems of the Executive Branch agencies and the Congress were probed or attacked an average of 1.8 billion times per month last year," said Sen. Susan Collins, D-Maine, after the Senate site was hit. "Congress needs to fundamentally reshape how the federal government works collaboratively with the private sector to address all cyber threats, from espionage and cyber crime to attacks on the most critical infrastructure."
"It feels to me like there are definitely more hacks taking place," said Graham Cluley, who analyzes online trends for the computer-security firm Sophos. In an email to ABC News, he broke the attackers into three types:
"Hacktivists. They may be doing it for laughs, or believe they are making a political point, but they don't have a financial motive."
Genuine criminals. Cluley called them "your regular identity thieves -- interested in stealing identities, credit card detail, because of the money that can be made out of them."
Infiltrators. "These are the hackers who appear to be hacking organizations and government bodies with the intention of stealing sensitive information with -- perhaps -- military or economic motivation," said Cluley. He cited attacks on U.S. military contractors, such as an internal network at the aerospace giant Lockheed Martin.
Online Security: Sometimes Uneven
Security analysts said banks and credit card companies are often very good at keeping sensitive data encrypted; even if hackers get access to your card number they won't be able to do anything with it. But other firms have been more lax: Sony's PlayStation gaming network was disabled for weeks after an April attack, and the company has spent hundreds of millions of dollars to recover both data and its customers' trust.
"The fact that Sony was not securing their customer information adequately was known before the first major breach," said California-based consultant Rob Enderle. "But Sony wasn't taking the problem seriously."
Cluley said one likely increase was in the number of organizations admitting they'd been hacked. The number of attacks is tremendous, he said, though most are unsuccessful or, in many cases, merely annoying.
LulzSec did trumpet its success in knocking out the CIA's public website -- though security consultants said that's not the place to hit if you genuinely mean to compromise national security. But the group did follow with this Twitter post: "This is the Internet, where we screw each other over for a jolt of satisfaction."