And, to hear them tell it, it’s all for a laugh.
Meet Lulz Security, or LulzSec, the gleeful and secretive band of hackers who appear to be responsible for a string of high-profile and sometimes embarrassing Internet attacks.
Their most recent strike, and arguably the most ambitious, was a distributed denial-of-service attack Wednesday that shut down the Central Intelligence Agency’s website for a couple of hours.
A DDoS attack is fairly easy with the right software. But the group has also hacked into sites ranging from Sony Pictures to porn sites, often publishing the passwords and other personal information they find.
Instead of hiding in the dark shadows of the Internet, they are front-and-center on an active Twitter feed fueled with taunts, crude jokes and hints about future attacks.
For those who don’t speak the language, “lulz” is an offshoot of “LOL,” webspeak for laughing out loud. Think of it as a substitute for “just for a laugh.”
“Lulz Security, where the entertainment is always at your expense, whether you realize it or not,” read a recent post on the account. “Wrecking your infrastructures since 2011.”
Analysts said the group appears to be some sort of spin-off of “Anonymous,” the loose coalition of hackers that formed in support of whistle-blower site WikiLeaks.
But while Anonymous has its own set of moral codes and is largely politically motivated, LulzSec tends to be random.
For every hack like the one on PBS, which the group said came out of anger over a documentary about WikiLeaks, there’s the cracking of porn site pron.com — and a subsequent public list of members’ e-mail addresses and passwords.
Breaches are often followed by cautionary notes: Some have even denigrated their own hacking abilities, saying the sites they targeted were incredibly easy to penetrate.
“These seem like they’re probably some kids in the garage or something that are just having fun,” said David Gorodyansky, CEO and co-founder of security software firm AnchorFree.
A request for comment sent to the group’s Twitter account was not returned Thursday.
Click on the group’s website and the theme song from “The Love Boat” plays over an image of what the group calls “The Lulz Boat.” The logo is a cartoon dandy in top hat, monocle and handlebar mustache.
But if the attitude is lighthearted (They’ve even set up a request line with a 614 Columbus, Ohio, area code, to solicit future target suggestions), the consequences can be serious.
For example, on Thursday LulzSec posted what it said were 62,000 e-mails and their passwords, gleaned from unknown sources (Gizmodo has posted a tool to help discover if your account is one of them).
Afterward, they retweeted messages from several followers who bragged they’d gotten access to PayPal, Amazon, Facebook and other accounts from the list.
One follower claimed to have hacked into a woman’s Facebook account and broken up with her boyfriend.
It’s unclear whether LulzSec members played a role in the Sony PlayStation Network breach that compromised the information of 77 million users. But they’ve posted on their website what they claim is proprietary information from Sony Pictures and other Sony properties’ websites.
After the U.S. Senate breach, LulzSec posted what it called a “just-for-kicks” release of some internal data.
“We don’t like the US government very much,” it wrote. “Their boats are weak, their lulz are low, and their sites aren’t very secure. In an attempt to help them fix their issues, we’ve decided to donate additional lulz in the form of owning them some more!”
To help avoid such attacks, Gorodyansky suggested website owners make sure to encrypt them. Using Hypertext Transfer Protocol Secure (https), instead of the “http” that most sites use, makes data more difficult to obtain.
He also urged organizations, businesses and governments to make sure they are running the latest updates, or firmware, for their security tools.
“You may have the latest and most expensive equipment, but if you don’t update the firmware as soon as it comes out, it’s very easy for the hackers to exploit,” he said.