The Dark Arts: Meet the LulzSec Hackers

It’s difficult to say if [Aaron Barr], then CEO of software security company HBGary Federal, was in his right mind when he targeted the notorious hacking group known as Anonymous. He was trying to correlate Facebook and IRC activity to reveal the identities of the group’s key figures. In the shadowy world of black-hat hacking, getting your true identity revealed is known as getting doxed, and is something every hacker fears. Going after such a well-known group would be sure to get his struggling company some needed publicity. It would also have the most unfortunate side effect of getting the hacking groups attention as well.

DA_06
Aaron Barr

Perhaps [Aaron Barr] expected Anonymous to come after him…maybe he even welcomed the confrontation. After all, he was an ‘expert’ in software security. He ran his own security company. His CTO [Greg Hoglund] wrote a book about rootkits and maintained the website rootkits.com that boasted over 80 thousand registered users. Surely he could manage a few annoying attacks from a couple of teenage script kiddies playing on their parent’s computer. It would have been impossible for him to know how wrong he was.

It took the handful of hackers less that 24 hours to take complete control over the HBGary Federal website and databases. They also seized [Barr’s] Facebook, Twitter, Yahoo and even his World of Warcraft account. They replaced the HBGary Federal homepage with this declaration – with a link to a torrent file containing some 50,000 emails resting ominously at the bottom. At the same time, they were able to use social engineering techniques to SSH into the rootkit.com site and delete its entire contents.

It became clear that these handful of Anonymous hackers were good. Very good. This article will focus on the core of the HBGary hackers that would go on to form the elite LulzSec group. Future articles in this new and exciting Dark Arts series will focus on some of the various hacking techniques they used. Techniques including SQL injection, cross-site scripting, remote file inclusion and many others. We will keep our focus on how these techniques work and how they can be thwarted with better security practices.

LulzSec – For the Lulz

jake_davisName: Jake Davis

Alias: Topiary

Age at Arrest: 18

Hometown: Shetland Islands, Scotland

Role: Spokesperson

Twitter

[Jake Davis] – aka [Topiary] – might have been the least technically skilled of the group, but he made up for it in his ability with words. He was by far the most articulate of the group and commanded the official LulzSec Twitter feed, where he taunted the group’s victims and appeased their ever-growing fan base. [Topiary] goes back to the days of Anonymous and its origin on the popular image board 4chan. Being articulate and quick-witted, he was exceptionally good at doing prank calls while streaming them live to eager fans. His talent did not go unrecognized and the role of “mouthpiece” for Anonymous was his for the taking. Whenever a home page was defaced and replaced with an official Anonymous message, he was the author. The hacked HBGary homepage linked above was [Topiary’s] work.

Lest we leave you with the impression that [Topiary] was not a hacker, he learned a great deal of technical skills during his involvement with Anonymous and later Lulzsec. When he was arrested at his home on the Shetland Islands, he had 17 virtual machines running on an encrypted drive. His last tweet before his arrest – “You cannot arrest an idea”.

 

Name: Mustafa Al-Bassammustaffa al massam

Alias: Tflow

Age at Arrest: 16

Hometown: London, England

Role: Highly skilled coder

Twitter

[Mustafa Al-Bassam] – aka [Tflow] – was a bit socially awkward, but you would have never known it based on his demeanor in the secluded chat rooms of the Lulzsec hackers. Cool, calm and collected, [Tflow] never got involved with the many arguments that took place. The ability to check his emotions combined with advanced coding skills led his fellow hackers to believe he was much older than he really was. [Pwnsauce], another Lulzsec member whom we will not cover due to lack of information, believed he was at least 30 years old.

It was [Tflow] who first shed light on [Aaron Barr’s] plans to dox the Anonymous “leaders”. It was [Tflow] who wrote an advanced piece of code that allowed the citizens of Tunisia to get past their government’s ISP restrictions during the Arab Spring and post on social media. Let that sink in for a minute…a 16-year-old teenager had empowered an entire nation of people with a PHP script. [The Jester], a hacker who commanded a massive bot-net, once tried to hoodwink [Tflow] and his fellow hackers with a malicious script. [Tflow] took the script, reduced it from a few dozen lines to only two lines without limiting functionality, and sent it back to [The Jester] with the following note: Try this instead.

 

ryan_ackroid

Name: Ryan Ackroyd

Alias: Kayla

Age at Arrest: 24

Hometown: South Yorkshire, England

Role: Server Penetration

Twitter

[Ryan Ackroyd] was big into computer video games as a teen. He liked hacking them and hung out online with other like-minded people. A girl by the name of [Kayla] joined their circle of friends and [Ryan] enjoyed her company. A rival video game hacking group tried to hack [Ryan’s] group, and targeted the weakest link – 16-year-old [Kayla]. They destroyed her social networks and even got into her parent’s bank account. [Ryan] and his friends were furious. They all went after their rival, using the alias [Kayla] in her honor. Their retribution was so devastating that “Kayla” earned a reputation across this particular corner of the internet as someone not to cross. Over the years, the group fell apart, but [Ryan] remained and kept the alias of a 16 year old girl named [Kayla] who shouldn’t be messed with.

It was [Kayla] who socially engineered her way into rootkit.com. It was [Kayla] who discovered the SQL injection insecurity on the HBGary Federal website. She later wrote a program that scanned URLs many times per second looking for zero days. She’s a self-taught reverse engineer and was arguably the most skilled hacker on the Lulzsec team. She even had a trip wire in her apartment that wiped all hard drives when the police entered, and was branded by the courts as “highly forensically aware”. That’s legalese for “This guy knows his stuff”. She has some wise words in this reddit thread.

 

hector_monsegurName: Hector Monsegur

Alias: Sabu

Age at Arrest: 28

Hometown: New York City

Role: Leader & Skilled Hacker

Twitter

[Hector Monsegur] – aka [Sabu] – was the oldest and most mature of the Lulzsec hackers. He was the recognized leader of the group. He drove daily operations and squashed arguments. He was also a very skilled hacker himself, coming from a background of hacking government websites in his native Puerto Rico. [Sabu] was a hactivist, and believed in hacking for a social cause, while many of his team were still beholden to their 4chan/b/ days of hacking “for the lulz”. [Sabu] was not only a hacker of computers, he was a hacker of people, and highly skilled in the art of social engineering. Using his skills, he was able to steer LulzSec in the direction he wanted it to go.

[Sabu] was the first of the LulzSec hackers to get doxxed. When he was confronted by the FBI with a 100+ year prison sentence, he could not bear the idea of his kids growing up without him and turned informant. He has only recently returned to twitter, much to the annoyance of Anonymous.

Now What?

You have met the core of the LulzSec hackers. There are two more that we did not talk about due to lack of information: [Pwnsauce] and [AVUnit]. As of today, no one knows the true identity of [AVUnit]. It’s possible there are even more that we don’t know about. However, it is generally recognized that the hackers covered here were the core members.

Now that we know a little bit about the people behind some of the most remarkable hacks of modern times, we will go into detail about how they were able to carry these hacks out. If you’re looking for a “How to Hack a Website 101” tutorial, this series of articles will disappoint you. But if you want to know how these former hackers were able to do what they did, you will find this series quite enjoyable. We’re not just going to talk about the various techniques used, we’re going to understand how they work on a fundamental level. So stay tuned and keep your virtual machines on standby.

 

Sources

We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency, by Parmy Olsen. ISBN-978-0316213523

47 thoughts on “The Dark Arts: Meet the LulzSec Hackers

  1. I have such mixed feelings about these groups. Sure they are very skilled and their dedication to the craft admirable, but stuff like they did to that Arron guy is basically bullying. You must listen to the opinions of the guy with the bigger stick, better bow, more powerful gun, etc. You are wrong not because you are wrong, but because you are outgunned. Those with the power tell you what you must think and feel, and how dare you disagree with them or tell them that they may be wrong. Didn’t we fight wars to get away from that kind of stuff?

    1. Here’s the thing, he went after them so they went after him.
      When they were made known to the FBI their lives were severely negatively affected. Aaron Barr did it for personal gain, so in return they made him suffer however they could.

      1. Didn’t mean to end that comment there. So really I have no sympathy for him. Had he wanted to he could have done it anonymously not for personal gains and business success.

      2. > Here’s the thing, he went after them so they went after him.

        Yep. In the end they were still kids. Their ego was much, much larger than their maturity. Of each and every one involved. And that’s the most dangerous state for any person: when someone’s ego becomes larger than his maturity. Because that’s when ego starts to make the decisions, instead of intelligence.

          1. Ego’s have started far too many hacks, skirmishes, wars and terrorist attacks.

            There’s no reason to poke sides. It is an issue of all society not just “modern western society.”

    2. “Those with the power tell you what you must think and feel, and how dare you disagree with them or tell them that they may be wrong. Didn’t we fight wars to get away from that kind of stuff?”
      Hmm, and who won? It looks like it describes current crop of governments pretty acurately (political corectness etc). Anonymous were against people who tell them what to think and feel…

  2. HBGary Federal got what it deserved and so did LulzSec, just because it’s happening in cyberspace doesn’t mean that this was anything more profound than two street gangs fighting it out in back alleys.

    1. Yeah, but you don’t feel sorry for them, because you don’t really know what you are talking about.

      They did not kill anybody. But some of your 1000 gun toting lunatics did that just today, just yesterday, the day before .. and tommorow again.

      Man, your moral compass points south.

      1. Aaron Barr is an idiot for picking a fight with Anonymous. Especially so since he claimed to be a security expert. He should have known better. He gets no sympathy.

        The rest of them was an idiot for wasting their talent as hackers, social engineers and on something like this.Hector Monsegur turned against Anonymous and made himself a potential target of them. No sympathy for them either.

        I’m not saying being a hacker is a waste of time. Far from it. People like this wield an amazing amount of power.
        I’m not saying gun toting lunatics are harmless, look at what ISIS has accomplished.

        But at the head of every successful revolution, terrorist group or government is a group of very smart people capable of changing the world.

          1. -isis is trying to bring about Armageddon (literally, the war to end all wars, is their objective).
            -the US is a clusterfuck of post cold-war paranoia and a belief that they are some how the “world police”

            both sides are fucked and, neither of them can claim any sort of moral high-ground. but,if I had to choose between the two I think I’d rather have the US win. At least I might survive that, being a buddhist I would face persecution from isis.

          2. I think that’s the point: shit loads of people have died because a small number of people at the top of both sides decided it. Small numbers of people change the world. The Russian, American, and French revolutions all happened because of small groups. Less than a third of the American people took part in ours. For better or worse, small groups lead.

            And yes, hackers can be extremely dangerous. Remember the Iran hack, at their nuke facility? Could have been Chernobyl 2.0 if things were just a little different. Hackers should use their skill for good, not lulz.

        1. “But at the head of every successful revolution, terrorist group or government is a group of very smart people that became rich from the blood of others.”

          There, fixed that for you.

          1. “But at the head of every revolution, terrorist group or government is a group of very greedy people that became rich from the blood of others.”

            There, fixed that for you.

    1. On purpose. Ryan played the Kayla role well. So well that he fooled many people despite Rule #16. He often punctuated his posts with hearts and told elaborate stories of ‘her’ background.

      1. My first thought was . . . similar to steve’s but less rude. If Ryan’s preferred pronoun is she, all good. If he prefer’s ‘he’ but you picked ‘she’ because of the character he played, that’s getting close to the “we’ll use what pronoun we want regardless” area that people who use the word ‘tranny’ are also a part of.

        I don’t know Ryan, and will assume Will’s good intention. Afterall, Lulzsec can take care of fixing the pronouns of this post if they didn’t agree. ;-)

  3. Governments hurt people and so do these type of people. Some of their methods are different some are the same, as with their reasoning for doing so. You can keep both of them. Doing stupid shit to harm someone for the “lulz” or not makes them no different than the people they “protest against”. None of them are heroes anymore then anyone else is.
    The article is educational in that it teaches you that there are certainly idiots in the world that are just smart enough to be dangerous. As far as bringing to light anything that will protect you from idiots.. good luck with that. I hear the idiot factory is still going full bore…

  4. I don’t recall the details of this case offhand, but I’m going to guess that HBGary was hacked not so much due to the skill of LULSEC but rather as a result of their own technical incompetence.

    1. Yeah, I have to agree.

      I admit I wasn’t aware of any of this, and was slightly intrigued. Enough that I spent 15 minutes or so reading up about it elsewhere. So I appreciate this article, but…

      it’s intended to be the first of a *series* of articles? I think that’s stretching it. If people are interested, the information is out there. And if you look in the right places, all written up more concisely. If that’s your preference, of course. Some may prefer a storytelling-oriented style, but it doesn’t work for me, at least on this topic.

      1. Having been aware of these hacks while they were going on, I don’t think any of these people wanted the spotlight. HBGary “threatened” Anonymous; LulzSec responded but outside of a few dark corners of the web no-one knew who LulzSec was. Names like Sabu and Topiary weren’t known at the time to the internet at large, because they knew better than to crave the spotlight. Sabu screwed up and got the “turn on your friends or do 100 years in jail for making the FBI look stupid” speech. (and by making the FBI look stupid, I mean listening in on the phone calls between the FBI and Scotland Yard . . . let that sink in).

        Now, I’ll admit that I don’t come to HAD for frontline security information; the definitions of ‘hack’ is too different. But this is both an important piece of information security history, and a lesson in security. The Internet of Things is going to be the major target of hacks like this in the near future, and it benefits builders of these devices to know a bit about the history of the very major events (at least the publicly major ones) and to have the interest in making sure it’s not their devices that aid in the next one being executed. Because of that, I’d say the story belongs. As for the article portraying Barr as an idiot and LulzSec as “elite black-hats” . . . I’d say LulzSec did that themselves, regardless of whether you believe they were in the right or the wrong. You don’t get the FBI to help you wire-tap the FBI without being really deceptive.

  5. I think what we have to remember is, on both sides, that morals (or morals we like) and skills don’t always go hand in hand but still it’s always fun to read about true artists.

  6. Please stop giving people like this attention. If they want to put their intelligence to use for curing cancer, or something else useful, then I’ll listen to what they have to say.

      1. Oh, please. People throughout history have died for mearly expressing their opinion. They didn’t have the luxury of sitting in a nice, comfy chair near their shiny computers.

        There’s a big difference between wanting to change the world and just wanting people to think “Wow, that guy must be a genius!” Most people grow out of the latter post-puberty.

        Please attack the argument rather than the person making it, next time.

  7. To me it’s just another group from 4chan group doing ddos on stuff that gets no results with public SQL and CGI fuzzers over HTTP..

    You have enough people all but hardened boxes are yours to take..

  8. Kaylas biggest mistake was being in Lulzsec given Kayla was already well known and highly respected in the underground for years. The stuff he did dwarfs his Lulzsec career and he didn’t need the twitter/media attention in that respect, so I’d love to know why he decided to go that route after an already successful hacking career. Seems like they’ve all grown up now regardless, I wish them well.

  9. Hey guys, just a point re: accuracy here. The extensively researched account of lulzsec by Coleman (“hacker, hoaxer, whistleblower, spy” Verso, 2014) points out that it is not only ironic but misleading to refer to anyone as a spokesman for Anon. So, maybe choose a different title for Topiary?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s