Australian police arrest senior member of LulzSec hacking group
Yahoo News by Jane Wardell/ Reuters April 24, 2013
SYDNEY (Reuters) –
Australian Federal Police have arrested the self-proclaimed leader of the international hacking group LulzSec, the collective that claimed responsibility for infiltrating and shutting down the CIA website.
Police said the 24-year-old IT worker, who held a position of trust at an international company, was arrested in Sydney on Tuesday evening and charged with hacking offences that carry a maximum penalty of 10 years.
Glen McEwen, manager of cyber crime operations at Australian Federal Police, said the man was detained at work, where he had access to sensitive information from clients including government agencies.
LulzSec, an offshoot of the international hacking group Anonymous, has taken credit for hacking attacks on government and private sector websites, including the Central Intelligence Agency (CIA), Sony Pictures, a unit of Sony Corp, 20th Century Fox and Nintendo.
Anonymous – and LulzSec in particular – became notorious in late 2010 when they launched what they called the “first cyber war” in retaliation for attempts to shut down the Wikileaks website.
The name LulzSec is a combination of “lulz”, another way of writing “lols” or “laugh out loud”, and security.
Australian police said the unnamed Australian man, who used the online moniker “Aush0k”, was known to international law authorities.
His arrest comes a week after an American member of LulzSec, Cody Kretsinger, was sentenced in a Los Angeles court to a year in prison followed by home detention. Kretsinger, who used the online handle “Recursion”, pleaded guilty in a plea agreement with prosecutors.
Court documents in that case revealed that Anonymous leader “Sabu”, whose real name is Hector Xavier Monsegur, had provided the FBI with information on fellow hackers after pleading guilty to hacking offences.
The Australian hacker has been charged with two counts of unauthorized modification of data to cause impairment and one count of unauthorized access to a restricted data system after a government website was attacked earlier this month.
“Let me make it extremely clear to everybody out there, this is not harmless fun, this is serious,” McEwen said at a press conference.
McEwen said the man posted in online forums frequented by other members of LulzSec that he was the group’s leader.
“There were no denials of his claims of being the leader,” McEwen told reporters.
The man has been granted bail and will appear before a court next month.
LulzSec allegedly broke into Australian government department and university websites in 2011. Anonymous last year took around 10 Australian government websites offline, protesting plans to force ISPs to store more user data and make it available to security services.
(Additional reporting by Michael Sin; Editing by Paul Tait and Jeremy Laurence)
Forget Disclosure — Hackers Should Keep Security Holes to Themselves
WIRED by Andrew Auernheimer November 29, 2012
Editor’s Note: The author of this opinion piece, aka “weev,” was found guilty last week of computer intrusion for obtaining the unprotected e-mail addresses of more than 100,000 iPad owners from AT&T’s website, and passing them to a journalist. His sentencing is set for February 25, 2013.
Right now there’s a hacker out there somewhere producing a zero-day attack. When he’s done, his “exploit” will enable whatever parties possess it to access thousands — even millions — of computer systems.
But the critical moment isn’t production — it’s distribution. What will the hacker do with his exploit? Here’s what could happen next:
The hacker decides to sell it to a third party. The hacker could sell the exploit to unscrupulous information-security vendors running a protection racket, offering their product as the “protection.” Or the hacker could sell the exploit to repressive governments who can use it to spy on activists protesting their authority. (It’s not unheard of for governments, including that of the U.S., to use exploits to gather both foreign and domestic intelligence.)
The hacker notifies the vendor, who may — or may not — patch. The vendor may patch mission-critical customers (read: those paying more money) before other users. Or, the vendor may decide not to release a patch because a cost/benefit analysis conducted by an in-house MBA determines that it’s cheaper to simply do … nothing.
The vendor patches, but pickup is slow. It’s not uncommon for large customers to do their own extensive testing — often breaking software features that couldn’t have been anticipated by the vendor — before deploying improved patches to their employees. All of this means that vendor patches can be left undeployed for months (or even years) for the vast majority of users.
The vendor creates an armored executable with anti-forensic methods to prevent reverse engineering. This is the right way to deploy a patch. It’s also manpower-intensive, which means it rarely happens. So discovering vulnerabilities is as easy as popping the old and new executable into an IDA Pro debugger with BinDiff to compare what’s changed in the disassembled code. Like I said: easy.
Basically, exploiting the vast unpatched masses is an easy game for attackers. Everyone has their own interests to protect, and they aren’t always the best interests of users.
Things Aren’t So Black and White
Vendors are motivated to protect their profits and their shareholders’ interests over everything else. Governments are motivated to value their own security interests over the individual rights of their citizens, let alone those of other nations. And for many information security players, it’s far more lucrative to sell incrementally improved treatments of a disease’s symptoms than it is to sell the cure.
Clearly, not all the players will act ethically, or capably. To top it all off, the original hacker rarely gets paid for his or her highly skilled application of a unique scientific discipline towards improving a vendor’s software and ultimately protecting users.
So who should you tell? The answer: nobody at all.
White hats are the hackers who decide to disclose: to the vendor or to the public. Yet the so-called whitehats of the world have been playing a role in distributing digital arms through their disclosures.
Researcher Dan Guido reverse-engineered all the major malware toolkits used for mass exploitation (such as Zeus, SpyEye, Clampi, and others). His findings about the sources of exploits, as reported through the Exploit Intelligence Project, are compelling:
The so-called whitehats of the world have been playing a role in distributing digital arms.
None of the exploits used for mass exploitation were developed by malware authors.
Instead, all of the exploits came from “Advanced Persistent Threats” (an industry term for nation states) or from whitehat disclosures.
Whitehatdisclosures accounted for 100 percent of the logic flaws used for exploitation.
Criminals actually “prefer whitehat code,” according to Guido, because it works far more reliably than code provided from underground sources. Many malware authors actually lack the sophistication to alter even existing exploits to increase their effectiveness.
Navigating the Gray
A few farsighted hackers of the EFnet-based computer underground saw this morally conflicted security quagmire coming 14 years ago. Uninterested in acquiring personal wealth, they gave birth to the computational ethics movement known as Anti Security or “antisec.”
Antisec hackers focused on exploit development as an intellectual, almost spiritual discipline. Antisec wasn’t — isn’t — a “group” so much as a philosophy with a single core position:
An exploit is a powerful weapon that should only be disclosed to an individual whom you know (through personal experience) will act in the interest of social justice.
After all, dropping an exploit to unethical entities makes you a party to their crimes: It’s no different than giving a rifle to a man you know is going to shoot someone.
Dropping an exploit to unethical entities makes you a party to their crimes.
Though the movement is over a decade old, the term “antisec” has recently come back into the news. But now, I believe that state-sanctioned criminal acts are being branded as antisec. For example: Lulzsec’s Sabu was first arrested last year on June 7, and his criminal actions were labeled “antisec” on June 20, which means everything Sabu did under this banner was done with the full knowledge and possible condonement of the FBI. (This included the public disclosure of tables of authentication data that compromised the identities of possibly millions of private individuals.)
This version of antisec has nothing in common with the principles behind the antisec movement I’m talking about.
But the children entrapped into criminal activity — the hackers who made the morally bankrupt decision of selling exploits to governments — are beginning to publicly defend their egregious sins. This is where antisec provides a useful cultural framework, and guiding philosophy, for addressing the gray areas of hacking. For example, a core function of antisec was making it unfashionable for young hackers to cultivate a relationship with the military-industrial complex.
The only ethical place to take your zero-day is to someone who will use it in the interests of social justice.
Clearly, software exploitation brings society human rights abuses and privacy violations. And clearly, we need to do something about it. Yet I don’t believe in legislative controls on the development and sale of exploits. Those who sell exploits should not be barred from their free trade — but they should be reviled.
In an age of rampant cyber espionage and crackdowns on dissidents, the only ethical place to take your zero-day is to someone who will use it in the interests of social justice. And that’s not the vendor, the governments, or the corporations — it’s the individuals.
In a few cases, that individual might be a journalist who can facilitate the public shaming of a web application operator. However, in many cases the harm of disclosure to the un-patched masses (and the loss of the exploit’s potential as a tool against oppressive governments) greatly outweighs any benefit that comes from shaming vendors. In these cases, the antisec philosophy shines as morally superior and you shouldn’t disclose to anyone.
So it’s time for antisec to come back into the public dialogue about the ethics of disclosing hacks. This is the only way we can arm the good guys — whoever you think they are — for a change.
Anonymous Launches OpIsrael DDoS Attacks After Internet Threat
Hacktivist collective said the attacks are in response to the Israeli government threatening to sever all Internet connections to and from Gaza strip.
Information Week by Mathew J. Schwartz November 15, 2012
The hacktivist group Anonymous Thursday announced that it would begin launching online attacks against a number of Israeli government sites, as part of its ongoing Operation Israel (OpIsrael).
The Anonymous distributed denial-of-service (DDoS) attacks began at 10 a.m. Israeli time (3 a.m. Eastern time).
“Since this morning they’ve been trying to take down several Israeli websites, including the prime minister’s website, the IDF [Israel Defense Force] website, banks, airlines, and so on,” said Ronen Kenig, director of product marketing for security products at Radware, speaking by phone from Tel Aviv. “They published a list of four to five attack tools that they’ve asked their supporters to use, including the mobile LOIC, and network flooding attack tools.” In addition, he said, attackers have been launching brute-force attacks against the IDF’s blog, in an attempt to find working access credentials.
To date, however, the attacks — which Kenig characterized as being “well coordinated” — appear to have had minimal effect against the public-facing websites. “Some websites have suffered from defacements,” he said. “None of the government ones, but some private ones that may relate somehow to military equipment have been defaced.”
The Anonymous-organized attacks were preceded one hour earlier by the uploading of an Anonymous-issued statement to AnonPaste. It said that the Anonymous DDoS attacks were a response to Israel’s reported threat to disconnect Gaza Strip from the Internet. “When the government of Israel publicly threatened to sever all Internet and other telecommunications into and out of Gaza they crossed a line in the sand,” according to the statement.
In case the Gaza Strip’s Internet connection does get severed, the Anonymous statement included a link to a downloadable “Care Package For Gaza,” which is a 1 MB zipped file that it said “contains instructions in Arabic and English that can aid you in the event the Israel government makes good on it’s (sic) threat to attempt to sever your Internet connection,” as well as tips “on evading IDF surveillance.”
The zipped file includes two documents, both written in Arabic and English. One is an oft-reprinted 2007 guide to basic first aid written by an Egyptian physician, Dr. Ehab El-Said Mohamed. The other, titled “TechGuideForInternetShutDownGAZA.pdf,” tells people that if their Internet connection gets severed, they should attempt to find a short-wave radio and build a 65.5-foot antenna.
By comparison, the Anonymous DDoS attacks are more advanced. According to Radware, the attackers have been using SYN floods via TCP/IP, initiating more connection requests to a server than it can handle, which can make it unreachable. They’ve also been using ICMP attacks, which floods a network by exploiting misconfigured network devices to broadcast large quantities of packets to all devices connected to that network.
Attackers have also been using LOIC, which is a PC-based tool for launching a DDoS attack against a website of the user’s choosing, if used in manual mode. When used in “hive mind” mode, meanwhile, the tool’s target can be controlled by attack organizers. Although an early version of LOIC, used in attacks against PayPal, broadcast the IP address of the person using it to the site being attacked — unless they were using a VPN — developers have since updated the tool to better hide users’ tracks. A more recently released version of LOIC also now runs on mobile phones.
Kenig said it was impossible to tell from where the OpIsrael Anonymous DDoS attacks are being launched. “We don’t know, but we know that according to what was published, it’s mainly Anonymous members that are supporting the Palestinians in Gaza Strip. They are the ones who have been launching this campaign, and they’re looking for supporters,” he said. “We saw in the [IRC] channels loads of correspondence in Arabic, so we can guess where it comes from.”
Previous DDoS Anonymous attacks, including against PayPal and record industry trade groups, succeeded in knocking those sites offline not via LOIC attacks, but rather through the participation of botnet controllers, who brought the necessary packet-spewing firepower to bear. So far, however, Kenig said there’s no sign that botnets have been used in these OpIsrael attacks. “At this point, it looks like there is no botnet involved, but mainly supporters using LOIC, mobile LOIC, and the usual stuff for Anonymous,” he said.
As of press time, the government websites under attack remained reachable, although the IDF website appeared to be loading slowly. Meanwhile, the website of an Israeli surveillance camera manufacturer had been defaced with an image of smoke rising from the Gaza Strip, together with a “Stop bombing Gaza!!” warning, saying that “millions of Israelis & Palestinians are lying awake, exposed & terrified.” The website has been previously defaced with Anonymous messages.
The Anonymous OpIsrael campaign began after Israel and Gaza militants exchanged fire in what’s been described as the most intense violence to have occurred in the Gaza Strip since 2009. The conflict escalated after Israel warned that that after days of rocket attacks emanating from the Gaza Strip, it would increase the frequency of its targeted assassinations of top Hamas officials.
Israel Wednesday launched “Operation Pillar of Defense,” which opened with an airstrike against a car carrying Ahmed al-Jaabari, who headed the Izz el Deen al Qassam, which is the military wing of Hamas. The airstrike killed him, together with at least one other occupant. The Israeli Defense Force has begun releasing black-and-white footage of its airstrikes.
So-called security experts making basic information security errors isn’t a new occurrence. Arguably, it even led to the rise of the Anonymous hacktivist collective.
Information Week by Mathew J. Schwartz November 15, 2012
Is there any way to keep online identities and the content of email communications hidden?
Clearly, covering one’s tracks is tough to do, as demonstrated by David Petraeus, the highly decorated general who last year became director of the CIA. Notably, his affair with Paula Broadwell — hardly a national security matter — came to light this week after the FBI found that the couple was using a Gmail account to communicate.
Still, for the director of a U.S. intelligence agency to have been caught in this manner is, frankly, a security embarrassment. Rather than using a VPN to mask their IP addresses or encryption to scramble the contents of their messages, or simply avoiding email altogether, Petraeus and Broadwell communicated using saved Gmail drafts. Having gone to the trouble to hide what they were doing, why didn’t they find a more secure communications mechanism?
Then again, no amount of hiding their online tracks may have helped foil determined investigators. Even supposedly master hackers have been identified after just one small misstep.
* Seems it’s getting harder to maintain your privacy.
Consider the example of LulzSec leader Sabu — real name, Hector Xavier Monsegur. He reportedly failed to mask his IP address just once or twice before logging into an IRC chat room, which ultimately allowed the FBI to pinpoint his real IP address and then identity. Meanwhile, Backtrace Security also found, hidden in a LulzSec chat file, a domain name that led to a subdomain that mirrored a page where Monsegur had posted a picture of his beloved Toyota AE86.
Seeing so-called security experts commit basic information security errors isn’t a new occurrence. Arguably, it even led to the rise of the Anonymous hacktivist collective. According to journalist Parmy Olson’s book We Are Anonymous, the collective had lost steam after its Church of Scientology and PayPal exploits. Then HBGary Federal CEO Aaron Barr launched a PR stunt meant to drum up business, publicly boasting that he would soon unveil the identities of key Anonymous players. That led the key players, including Sabu, to see just what Barr knew — he turned out to not have identified them at all — as well as make a lesson of him to any other would-be Anonymous enemies.
As Olson recounts, Sabu scanned the HBGary Federal website and found — ironically, for an information security firm — that it was built using a commercial content management system that contained a known vulnerability. Using a SQL injection attack, the hacktivists retrieved a list of HBGary employees’ usernames and passwords, although the latter had been hashed using MD5. While that temporarily stymied Sabu — the group was still sharpening its technical skills — he uploaded three of the passwords to the hashkiller.com forum. Its members quickly cracked the hashes and shared the plaintext passwords, including Barr’s work password, which was “kibafo33.”
The hackers then tested whether Barr’s password worked for any of his other website accounts. Remarkably, Barr, a self-described information security expert, had reused his work password on numerous sites — including Facebook, Flickr, Twitter, Yahoo as well as World of Warcraft. On Super Bowl Sunday 2011, Anonymous owned those accounts and began issuing vulgar tweets in Barr’s name and providing links to a torrent file containing over 70,000 HBGary emails that it had surreptitiously copied and deleted from the company’s servers.
Compared to the HBGary episode, Petraeus’ Gmail missteps — still surprising for the head of an intelligence agency — appear less galling. In the end, however, his story isn’t just about the startling ease with which one’s supposedly hidden communications or identity can be uncloaked, our country’s poor privacy protections or an investigation that should never have begun. Rather, it’s also about human errors.
Namely, Broadwell was jealous of Jill Kelley, a married Tampa socialite who volunteers with wounded veterans and military families, and her friendship with Petraeus, which she saw as a threat. So Broadwell sent threatening emails to Kelley, who passed them to FBI agent Frederick W. Humphries II, which triggered the investigation. Given that Broadwell, who was married, was having an affair with the director of the CIA, shouldn’t more discretion have been the order of the day?
With information security–as in life–the biggest wildcard remains the human factor.
Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)
News: Future Cyber Attacks Could Rival 9-11, Cripple US, Warns PanettaGet the latest IT news and analysis from Constantine von Hoffman’s IT Security Hack blog
The proposed remedy is to provide the U.S. government with broad access to private systems so that malware can be quickly identified and removed and other national threats identified and stopped. The problem is that such access creates privacy issues and may itself be a bigger problem than the threat it attempts to eliminate. Not only is the requested change unlikely to happen any time soon, it may increase the potential for either a domestic or foreign cyber attack.
Central Network Eliminates Natural Protection
One hidden benefit in the fact that our systems often don’t share information well or have a common security structure is that attacks against infrastructure therefore have to be tightly targeted. This means an attack on one private or public system probably won’t even work on most others, since they run a variety of different security packages, operating systems and applications, all surrounded by different policies.
One of the reasons we haven’t yet had a repeat of 9/11-that is, an attack that reaches catastrophic levels-is because these systems just don’t interoperate very well or share information at a low level. The amount of work to carry out such an attack currently exceeds the resources of the attackers.
Create a central network where systems regularly and automatically share information in real time, though, and you also create a single point of access where such an attack can be perpetrated. You change an impossible problem into one that is just very difficult-and, given both public and private practices to put off spending on security until there is a credible threat or demonstrated damage, attacking this centralized system will likely get easier over time for an outside entity and may be too attractive for a properly placed disgruntled employee to pass up.
Commentary: Failure of Senate to Pass Cybersecurity Act Leaves Us All At RiskBlog: Security Pros Blast US Cybersecurity Laws
The government’s recent history with security is a case in point. The death of the U.S. Ambassador to Libya showcased a situation in which the risks were real, and known, yet protections were reduced. After the attack, the political system focused on finding someone to blame, not assuring that the problem wouldn’t recur.
In short, the very system Panetta is suggesting could be the key to causing the thing he is trying to avoid.
A Better Short-Term Cybersecurity Solution
I see several things the government could do instead.
Strengthen liability laws in order to fast-track the process for compensating companies that suffer damage caused by inadequate protection.
Assure that compensation came from the budgets of the government organizations whose systems were targeted, in a manner similar to the way insurance companies pay out settlements. This would force agencies to increase their security budgets and audit the results to ensure they aren’t too exposed.
Provide a common, required reporting method to report an identified attack along with a requirement for minimal legal coverage.
Analysis: How the U.S Can Avoid a ‘Cyber Cold War’
All this could all be done without connecting the systems or creating a central government body to access them. There would be little additional government cost and few, if any, privacy concerns for anyone not perpetrating or directly connected to an attack. In short, such a plan would promote a higher level of prevention through better-funded protection.
‘Cyber 9/11’ Will Only Be Followed By More, Worse Attacks
Panetta’s plan suggests that an attack is unavoidable. The problem with a method that almost assumes an attack will happen, or requires a successful attack in order to be implemented, is that it usually does more harm than good.
After 9/11, poorly planned responses crippled the airlines industry and nearly bankrupted the country-and the integration of government communication systems that could have prevented the event in the first place is still not complete.
The real concern is that we do, in fact, get hit with a 9/11 cyber attack, as the Department of Defense has anticipated, and that the response to the event either creates an even bigger financial or privacy problem or sets the stage for a much larger attack. None of these are mutually exclusive. Unfortunately, we need to anticipate such a dire outcome. If you are driven to interconnect your systems nationally, then doing it quickly, let alone at all, would be a very unwise idea.