The Dark Arts: Meet the LulzSec Hackers

It’s difficult to say if [Aaron Barr], then CEO of software security company HBGary Federal, was in his right mind when he targeted the notorious hacking group known as Anonymous. He was trying to correlate Facebook and IRC activity to reveal the identities of the group’s key figures. In the shadowy world of black-hat hacking, getting your true identity revealed is known as getting doxed, and is something every hacker fears. Going after such a well-known group would be sure to get his struggling company some needed publicity. It would also have the most unfortunate side effect of getting the hacking groups attention as well.

DA_06
Aaron Barr

Perhaps [Aaron Barr] expected Anonymous to come after him…maybe he even welcomed the confrontation. After all, he was an ‘expert’ in software security. He ran his own security company. His CTO [Greg Hoglund] wrote a book about rootkits and maintained the website rootkits.com that boasted over 80 thousand registered users. Surely he could manage a few annoying attacks from a couple of teenage script kiddies playing on their parent’s computer. It would have been impossible for him to know how wrong he was.

It took the handful of hackers less that 24 hours to take complete control over the HBGary Federal website and databases. They also seized [Barr’s] Facebook, Twitter, Yahoo and even his World of Warcraft account. They replaced the HBGary Federal homepage with this declaration – with a link to a torrent file containing some 50,000 emails resting ominously at the bottom. At the same time, they were able to use social engineering techniques to SSH into the rootkit.com site and delete its entire contents.

It became clear that these handful of Anonymous hackers were good. Very good. This article will focus on the core of the HBGary hackers that would go on to form the elite LulzSec group. Future articles in this new and exciting Dark Arts series will focus on some of the various hacking techniques they used. Techniques including SQL injection, cross-site scripting, remote file inclusion and many others. We will keep our focus on how these techniques work and how they can be thwarted with better security practices.

LulzSec – For the Lulz

jake_davisName: Jake Davis

Alias: Topiary

Age at Arrest: 18

Hometown: Shetland Islands, Scotland

Role: Spokesperson

Twitter

[Jake Davis] – aka [Topiary] – might have been the least technically skilled of the group, but he made up for it in his ability with words. He was by far the most articulate of the group and commanded the official LulzSec Twitter feed, where he taunted the group’s victims and appeased their ever-growing fan base. [Topiary] goes back to the days of Anonymous and its origin on the popular image board 4chan. Being articulate and quick-witted, he was exceptionally good at doing prank calls while streaming them live to eager fans. His talent did not go unrecognized and the role of “mouthpiece” for Anonymous was his for the taking. Whenever a home page was defaced and replaced with an official Anonymous message, he was the author. The hacked HBGary homepage linked above was [Topiary’s] work.

Lest we leave you with the impression that [Topiary] was not a hacker, he learned a great deal of technical skills during his involvement with Anonymous and later Lulzsec. When he was arrested at his home on the Shetland Islands, he had 17 virtual machines running on an encrypted drive. His last tweet before his arrest – “You cannot arrest an idea”.

 

Name: Mustafa Al-Bassammustaffa al massam

Alias: Tflow

Age at Arrest: 16

Hometown: London, England

Role: Highly skilled coder

Twitter

[Mustafa Al-Bassam] – aka [Tflow] – was a bit socially awkward, but you would have never known it based on his demeanor in the secluded chat rooms of the Lulzsec hackers. Cool, calm and collected, [Tflow] never got involved with the many arguments that took place. The ability to check his emotions combined with advanced coding skills led his fellow hackers to believe he was much older than he really was. [Pwnsauce], another Lulzsec member whom we will not cover due to lack of information, believed he was at least 30 years old.

It was [Tflow] who first shed light on [Aaron Barr’s] plans to dox the Anonymous “leaders”. It was [Tflow] who wrote an advanced piece of code that allowed the citizens of Tunisia to get past their government’s ISP restrictions during the Arab Spring and post on social media. Let that sink in for a minute…a 16-year-old teenager had empowered an entire nation of people with a PHP script. [The Jester], a hacker who commanded a massive bot-net, once tried to hoodwink [Tflow] and his fellow hackers with a malicious script. [Tflow] took the script, reduced it from a few dozen lines to only two lines without limiting functionality, and sent it back to [The Jester] with the following note: Try this instead.

 

ryan_ackroid

Name: Ryan Ackroyd

Alias: Kayla

Age at Arrest: 24

Hometown: South Yorkshire, England

Role: Server Penetration

Twitter

[Ryan Ackroyd] was big into computer video games as a teen. He liked hacking them and hung out online with other like-minded people. A girl by the name of [Kayla] joined their circle of friends and [Ryan] enjoyed her company. A rival video game hacking group tried to hack [Ryan’s] group, and targeted the weakest link – 16-year-old [Kayla]. They destroyed her social networks and even got into her parent’s bank account. [Ryan] and his friends were furious. They all went after their rival, using the alias [Kayla] in her honor. Their retribution was so devastating that “Kayla” earned a reputation across this particular corner of the internet as someone not to cross. Over the years, the group fell apart, but [Ryan] remained and kept the alias of a 16 year old girl named [Kayla] who shouldn’t be messed with.

It was [Kayla] who socially engineered her way into rootkit.com. It was [Kayla] who discovered the SQL injection insecurity on the HBGary Federal website. She later wrote a program that scanned URLs many times per second looking for zero days. She’s a self-taught reverse engineer and was arguably the most skilled hacker on the Lulzsec team. She even had a trip wire in her apartment that wiped all hard drives when the police entered, and was branded by the courts as “highly forensically aware”. That’s legalese for “This guy knows his stuff”. She has some wise words in this reddit thread.

 

hector_monsegurName: Hector Monsegur

Alias: Sabu

Age at Arrest: 28

Hometown: New York City

Role: Leader & Skilled Hacker

Twitter

[Hector Monsegur] – aka [Sabu] – was the oldest and most mature of the Lulzsec hackers. He was the recognized leader of the group. He drove daily operations and squashed arguments. He was also a very skilled hacker himself, coming from a background of hacking government websites in his native Puerto Rico. [Sabu] was a hactivist, and believed in hacking for a social cause, while many of his team were still beholden to their 4chan/b/ days of hacking “for the lulz”. [Sabu] was not only a hacker of computers, he was a hacker of people, and highly skilled in the art of social engineering. Using his skills, he was able to steer LulzSec in the direction he wanted it to go.

[Sabu] was the first of the LulzSec hackers to get doxxed. When he was confronted by the FBI with a 100+ year prison sentence, he could not bear the idea of his kids growing up without him and turned informant. He has only recently returned to twitter, much to the annoyance of Anonymous.

Now What?

You have met the core of the LulzSec hackers. There are two more that we did not talk about due to lack of information: [Pwnsauce] and [AVUnit]. As of today, no one knows the true identity of [AVUnit]. It’s possible there are even more that we don’t know about. However, it is generally recognized that the hackers covered here were the core members.

Now that we know a little bit about the people behind some of the most remarkable hacks of modern times, we will go into detail about how they were able to carry these hacks out. If you’re looking for a “How to Hack a Website 101” tutorial, this series of articles will disappoint you. But if you want to know how these former hackers were able to do what they did, you will find this series quite enjoyable. We’re not just going to talk about the various techniques used, we’re going to understand how they work on a fundamental level. So stay tuned and keep your virtual machines on standby.

 

Sources

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency, by Parmy Olsen. ISBN-978-0316213523

8 Bit Message in a Digital Bottle

As seasoned data-travelers, we’re used to wielding the internet to send messages and communicate to others without any limitations. No one has to be stranded on a figurative island blowing smoke signals… unless of course they wanted to be. What [Harm Alexander Aldick] has done with his project “Lorem Ipsum”, is create a situation where others can only communicate to him through a sort of message in a bottle. The bottle in this case is an electronic widget.

In this social experiment, [Harm] has stationed a small Ikea picture frame at his desk, which shows images and text sent to him in real-time from others in the world. With an Arduino as the brain, a small 8×8 LED matrix mounted at the bottom right of the frame displays the data received by means of an ethernet module. Anyone can use his web interface to modify the pixels of the matrix on a virtual version of the installation. Once sent, the message is transmitted through an IPv6 internet connection and is translated to UDP which the unit is controlled by.

[Harm]’s project investigates how people react when given the chance to send a message in complete anonymity to someone they don’t know… in of all things, the form of something as limited as 64 pixels. The project name “Lorem Ipsum” refers to the filler text used in graphic design to hold the place of what would otherwise be more meaningful information, so that it doesn’t detract from the experience of viewing the layout. Curious about what sort of ‘graphical experience’ I would come up with myself, I took a shot at punching away at [Harm’s] GUI. I got momentarily lost in turning the little red dots on and off and eventually turned out this little ditty:

ipsum1

It was supposed to be something of a triangle, yet turned into a crop circle… or pronged nipple. After it was sent, I wondered whether or not [Harm] actually saw it. In the case that he did, I can only imagine what I communicated to our fellow hacker abroad with my squall of dots. All of these thoughts though are the whole point of the project. Awesome work!

Now you see me, now you don’t, face detection scripts

Straight out of Ghost in the Shell, the Laughing Man makes his appearance in these security camera shots. [William Riggins] wrote us to let us know about his teams Famicam scripts. After taking a screen shot, faces are detected and counted, ‘anonymized’, and the final image is uploaded to Twitter.

The process is rather simple, and sure beats wearing a bunch of white reflective camouflage. All that’s left is detecting specific faces to make anonymous, and of course uploading the script to every camera in the world. Easy, right?

Tor hardware privacy adapter

hardwaretor

The Janus team have published a preview of their new Privacy Adapter. It’s a small two port router. You just plug it in-line between your computer/switch and your internet connection. It will then anonymize all of you traffic via the Tor network. You can also use it with OpenVPN. The hardware appears to be a Gumstix computer mounted to a daughtercard with two ethernet ports. It will have a web configuration just like a standard router. This looks like a great plug-n-play privacy device. The only improvement we would suggest is adding auto-detect so a crossover cable isn’t required.

Janus is responsible for JanusVM, a virtual machine designed to protect your privacy with technologies like Tor and OpenVPN.

[via @hdmoore]

Packet trace anonymization with PktAnon


If you’re a network researcher or systems administrator, you know that network traces are often necessary, but not easy to share with colleagues and other researchers. To help with both ease of use and handling of sensitive information, the Institute of Telematics has developed PktAnon, a framework that anonymizes network traffic.

It works by using a profile-based scheme that supports various anonymization primitives, making it easy to switch between different network protocols and anonymization methods. New primitives can easily be added, and several pre-defined profiles are bundled into the distro. The profiles are all XML-based.

Essentially, there are two major uses for network traces: anonymizing user traffic in order to research it, and anonymizing in-house usage, thus preventing the leakage of sensitive information. It’s a rather rigid scheme, but using profiles for this was a stroke of genius that made it a lot easier, more flexible, and as a result, more useful and powerful.

[via TaoSecurity]
[photo: mlpoulter]

Anonymizing clothing


Though much of [citizenFinerran]’s intent in designing a suit that camouflages the wearer from security camera footage was philosophical, it is designed with a very tangible purpose in mind. The suit does not provide true camouflage (to say nothing of true invisibility), but it does create enough moving visual obstructions to make the wearer completely anonymous on film. More details on this and other invisibility cloaks after the break.

Continue reading “Anonymizing clothing”

xB Browser for anonymous browsing


Download Squad highlighted the xB Browser today. It’s a product offered by XeroBank and is the successor to the TorPark project. The browser anonymizes your browsing using the Tor network and doesn’t remember passwords, sites visited, or any other personal information. Scripts and plugins are disallowed by default, since they could be used to identify you. Remember that Tor just anonymizes; you’re still at the mercy of the exit nodes when it comes to security.

That’s just the free version though. Subscribers to XeroBank have access to an anonymous mail server and VPN service. If you’re a subscriber your bowser session is tunneled through XeroBank’s pool of servers and not the Tor network. We think they should have maintained a separate product name since this distinction isn’t clear outside of the FAQ.