LulzSec is dead, long live Anonymous

With law enforcement officials claiming that LulzSec has been decapitated, what does this mean for Anonymous?

The web is awash with hydra metaphors, but the truth is that no-one can say exactly what the effects are likely to be. Not for a while, anyway.

It’s always been clear that the number of Anonymous members with real hacking skills is a small core. Most ‘Anons’ are little more than camp followers - happy to download and use DDoS tools such as LOIC and Slowloris, but with little real clue as to how they work.

The dangers inherent in that ignorance have been made only too clear lately. In South America and Spain, law enforcement officials arrested 25 alleged Anonymous members as a result of analysing IP addresses contained in the logs of attacked websites. Most Anons, it seems, are unaware that the tools they use to further their cause does nothing to hide their identities.

And many Anons have managed to infect their own machines with the Zeus trojan after downloading a version of Slowloris that had been maliciously altered by cyber-criminals unknown. It’s not beyond the bounds of possibility that the people responsible for exploiting these clueless hacktivists might themselves be members of Anonymous. After all, the botnet formed by the infected machines would prove a useful weapon in the group’s activities. And it’s quite possible that at least a portion of the Anonymous movement are also engaged in criminal activities: DDoS attacks are a useful way of masking other crimes.

The thing is, Anonymous is such an amorphous grouping, spanning many countries and embracing so many ideologies and political viewpoints, that it’s almost impossible to rule out anything. And while Sabu and the others indicted in the most recent arrests were clearly the key players in LulzSec and AntiSec, and formed a hacking corps within Anonymous, there are other hackers out there happy to wave the Anonymous banner.

We can expect more arrests as the paranoia levels rise and hackers turn on each other. But we can also expect more attacks. For example, the take-down of Sabu, Anarchaos, Topiary, Pwnsauce, Palladium and Kayla will have no effect on the Anonymous hackers in India responsible for leaking Symantec source code. And there will be others in the US, UK and elsewhere rash enough (or stupid enough, depending on your viewpoint) to think they’ll be able to take Sabu’s place and get away with it. Confidence verging on arrogance is the hallmark of many of these hackers - and the source of their downfall.

It’s a cliche, and a fallacy, to characterise hackers and hacktivists as teenagers. But it is demonstrably true that much of their professed ideology is, to put it politely, somewhat naive. And then there’s the attitude - those hilariously portentous videos and the ‘you can’t catch us, copper’ taunting. (Untrue, as it happens.) Anons may span a range of ages (at least one of those 25 recently arrested was 40 years old), but much of the movement shares an immature view of the consequences of their actions.

(As a side note, the part of the brain that allows us to foresee consequences doesn’t fully develop until we’re in our early 20s, which explains the high accident rate among teenage drivers.)

And so hacktivism will continue. Anonymous will continue - largely ineffective but scoring occasional hits. And while Anonymous has never really represented anything more than a noisy and self-aggrandising nuisance, that’s not to say it isn’t a danger to the security and reputation of the organisations on whom it turns its attention.

The problem with the arrests of the people accused of being the LulzSec chiefs is that some companies might think the threat has passed. It hasn’t. A lesson has been taught to those who might take their place, but experience shows that such lessons are usually ignored. Anonymous has already branded the arrested people as losers: it has thrown them overboard.

The self-important posturing that is so intrinsic to the Anonymous style of hacktivism means that Anons will keep attacking, and will keep being arrested. This is the new reality of the net.

[This post is based on the editorial in the March issue of Computer Fraud & Security]

Sabu the snitch - as predicted six months ago

So, it turns out that the infamous ‘Sabu’, the somewhat cocky leader of LulzSec and one of the few members of Anonymous accredited with real hacking skills, has been an FBI informer for months.

This is not news to someone who goes by the name ‘HuntJaeger’ on Twitter. Just over five months ago I witnessed a Twitter exchange between anonymouSabu (as Sabu called himself on Twitter) and HuntJaeger. This was shortly after Sabu started tweeting again, having been silent for a couple of months.

HuntJaeger was in no doubt why Sabu had been observing radio silence. He accused the LulzSec hacker of having been turned by the FBI. “So, you’ve completed the FBI snitch training and are now back to rat out your comrades…” he said.

This is how it goes in the hacker underworld, of course. Every book I’ve ever read about illicit hackers (to differentiate them from the good kind) makes the point that, once nabbed, they waste no time in ratting out their comrades. It all contributes to a good, healthy spirit of paranoia.

Now that the arrests have been made, the indictments against Sabu - or Hector Xavier Monsegur as his friends and family know him - is probably looking at jail time. I hope those lulz were worth it.

Predictably, Anonymous is putting on a brave face. And to be honest, Anonymous is about a lot more than LulzSec or AntiSec. But it looks like the movement might have lost some of its most skilled hackers.

Watch out! Hackers!

The very word ‘hacking’ is enough to make some people paranoid. Of course, it doesn’t help if they’re paranoid already.

Case in point: last week I was on a Certified Ethical Hacker (CEH) course in the UK. Right at the beginning, our instructor warned, “If anything goes wrong, even if the Coke machine breaks, we’ll get blamed”. And so it proved.

The training facility was alongside a hotel that is used by a number of training companies. In the bar, you’re likely to bump into all kinds of people. A couple of the lads on our course got talking to some people who refused to say what they did for a living or what kind of training they were doing. As it happens, we’d already discovered, by other means, that they were undercover police officers. I wasn’t there, but apparently, when they learned that we were hackers in training, their jaws hit the floor.

Sure enough, the next day the manager of our training company stormed into the classroom and read us the riot act. Someone, he alleged, had been hacking outside of our subnet. ‘Someone’ had complained they were being hacked. We all knew who that was.

It was nonsense, of course. Okay, we had a couple of minor glitches. One of the students thought it funny to email the trojan we’d just built to all his mates. (It would have been picked up by anti-virus software in a millisecond and, in any case, wouldn’t have worked outside our network.) And a fellow student and I caused the receptionist to have to reset the wi-fi access point. We’d been using the Zyxel device as a zombie in an NMAP Idle scan. But hey, that device was on our subnet and therefore classed as ‘fair game’.

It seems that no-one pays attention to that ‘ethical’ adjective. If they hear the word ‘hacker’ they feel under attack. Oh well…

Who is Anonymous?

Reports that members of the Anonymous hacktivist movement have defaced the website of Irish opposition party Fine Gael are being denied by … well, members of Anonymous.

The hack exposed details of 2,000 members of the party. But chatter within Anonymous IRC channels suggests that most people who identify themselves with Anonymous want to distance themselves from this action.

It’s a problem, though, isn’t it?

The whole point of Anonymous is that anyone can join. There’s no formal membership. You don’t have to register at a website. All you have to do to be a member is to say so. The movement prides itself on being amorphous, which makes it difficult to attack (though not impossible). It even tries to suggest it doesn’t have a leadership (which is a lie, but a discussion for another time).

So whoever the people were who attacked the Irish website have as much right to call themselves ‘Anonymous’ as anyone else.

However, there are some clues that this action wasn’t carried out by the kind of people who hang out in the usual Anonymous IRC channels. According to some reports, the hack was quite sophisticated. And the technical skill level of most Anons is pretty low. Most are little more than script kiddies, if that.

To give you an example: during the recent, high-profile attacks on PayPal et al, there was a hiatus during which there was no target defined. Anons were getting restless. Many visitors to the #operationpayback channel were desperate to attack something, anything. They wanted a target domain or IP to plug into their LOIC clients. Someone with a mean sense of humour and a little more knowledge than most suggested: “Attack 127.0.0.1”.

It was disheartening how many took this seriously. I suspect that a few had logged off IRC in the excitement of having a new victim, and didn’t see subsequent announcements that mounting a DDoS attack on your own machine might be a bad idea. It would have been fun to watch, though. They probably thought they’d brought down the entire Internet…