Some of you may remember me walking about LulzSec last year. For those who don’t, LulzSec was a hacking group that splintered off from Anonymous and made a name for themselves by creating widespread havoc across the Internet over the past year. LulzSec has been involved in several high profile hacks including the hacking of Sony, Fox.com, InfraGard and most recently Stratford, to name just a few. When bored, the group launched DDoS (Distributed Denial of Service) attacks against (and successfully knocked offline) such websites as CIA.gov and FAA.gov. When security consultants Black & Berg Cybersecurity Consulting offered a $10k prize for hacking their website, LulzSec hacked their website and then declined the prize money. Last month, when the FBI had a telecon with Scotland Yard regarding the group’s antics, LulzSec hacked into the telecon, recorded it, and posted it online.
To say the group has been playing with fire for quite some time is undeniable. Nobody is able to continually and publicly both embarrass and evade the FBI forever. Many people (including myself) have been wondering how LulzSec has been able to operate so publicly for so long (the group maintsins websites and Twitter updates) and avoid being busted, and it appears we now know the answer. Yesterday, after several key members of LulzSec were arrested, it was revealed that the group’s leader (Sabu) was actually busted last summer and has been working with the FBI ever since.
Sabu’s real name (Hector Xavier Montegur) wasn’t originally uncovered by the FBI — fellow hackers Backtrace Security publicly “doxed” (released someone’s personal information) Sabu several months before the FBI moved in. Rumor has it that Sabu logged in to IRC (Internet Relay Chat) through an anonymous proxy to hide his IP address every single time he accessed the system — except once. That one time may have been all it took for someone to track down his true location. Sabu’s real name was also briefly exposed due to a glitch during a domain renewal. Again the exposure was slight, but when dealing when the FBI, sometimes that’s all it takes. Sabu was arrested, interrogated, and ultimately, convinced to work with the FBI in bringing in the rest of LulzSec’s members.
The movies Ronin, Reservoir Dogs, and The Dark Knight all have something in common — they contain groups of criminals who, for their own protection, don’t know each other’s identities. I’m guessing the members of LulzSec weren’t fans of those films. Yesterday Ars Technica broke the story of how the FBI tracked down Sabu’s co-conspirator Anarchaos’s identity. According to the article, the FBI scoured nine months worth of chat logs, cross referencing every single bit of identifying information they could find. In those nine months of logs, Anarchaos mentioned that he had been arrested for possession of marijuana, arrested for protesting at the Republican National Convention in New York City, and that he was on probation. The FBI was able to cross-reference these bits of information and came up with the name Jeremy Hammond, a 27-year-old Hactivist living on the south side of Chicago. After months of surveillance, Hammond was arrested yesterday by the FBI.
Oh, and the hacker that managed to record that FBI conference call? His alias is Palladium. He’s nineteen years old and lives in Ireland. He was also arrested yesterday.
The most interesting thing about this implosion is that … well, I have to admit all I know about entrapment I know from watching drug and prostitution stings on episodes of COPS, but according to the information that has been released so far, while working with the FBI, Sabu (a) advised Palladium on what to do with the FBI conference call information before the hack took place, and (b) provided the other members of LulzSec servers on which to store looted information, including stolen credit card numbers — all while working directly with the FBI.
Will Anonymous go quietly? No. Today Anonymous defaced Panda Security’s website, and launched a DDoS attack against (among other targets) WhiteHouse.gov. The end of an era for some is often a rallying cry to others.
In the 10 or so years I’ve been dealing with IT Security I’ve learned that there is no password, no form of encryption, no secret code that is 100% safe if a human being knows how to access it. To brute force an eight-character password made up of upper and lower case letters combined with common keyboard symbols would take somewhere around 3 quadrillion years. Extracting that same password from a human being as you pull their fingernails off with a rusty pair of pliers takes significantly less time. Pulling the fingernails off of their children’s fingers as they are forced to watch often results in even speedier results.
It has been rumored that Sabu turned on his fellow hackers after the FBI threatened to take away his two children. A dirty and simple yet amazingly reliable and consistently successful tactic. With all the effort the Anonymous fellows spent protecting their identities from the world, they did not put enough effort into doing so from one another.