Lulzsec wtf?

Discussion in 'other security issues & news' started by Kevin McAleavey, Jun 19, 2011.

Thread Status:
Not open for further replies.
  1. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    I'm cross-posting this to DSLR also since these are the places I used to spend quite a bit of time at back in the old days.

    I was originally going to write up an article for a security blog, but have decided to just sit back and watch the drama between lulzsec and the security industry because this just gets weirder and weirder the more I've dug into what's going on here and I"m no longer sure that this is what it seems. Instead, I'm going to put forth some information to google for those interested in this continuing saga and let others have at it. A word of warning first, don't use Windows to dig too deeply. A number of off-ramps are polluted with things that are not good for Windows to see. But if you have OSX, Linux or want to download a free crippled copy of KNOS from CNET or Softpedia or one of the other download sites and make a CD to surf with, you'll be safe wherever your trail takes you. Just be careful if you use Windows ...

    An explanation of my own interest is in order here as well: Back in the days when I was involved with BOClean, we took an entirely different approach in developing our "signatures" for malware. The standard method of AV's, AT's and the like is to simply take a sample, generate a CRC32 or an SHA1 of the file and you have your signature and move on to the next one. All this method ensured was that if another copy of that exact same file was encountered, it would be detected. Since BOClean had an advantage of a memory scan where any packing or other obfuscation trick was voided once in memory, my unique choice was to actually study the individual authors and find a pattern (often text-based) that was a personal "signature" of the individual programmer that could be relied upon to be found in their NEXT "release." That was our secret to handling future "zero day" releases because if you investigated the source and pinned down THEIR behavior, you were sure to have something you could count on to happen again in addition to the default file pattern match.

    As a result, my own "behavior based" detection was the author themselves and so investigating the authors was something I enjoyed greatly and paid a lot of attention to. More importantly, investigating their builder code and how those worked since most of their "upgrades" involved newly assembled code which was "joined" by the same old toolkits. Finally, seeing how groups of authors would trade code. There were many commonalities since there was a limited number of authors who wrote successful infectors. This tack was the reason for our ability to do what we did successfully with such limited resources against so many new exploits back in the day. So naturally, this whole lulzsec thing was almost nostalgic for me and I have to admit I've been sucked in studying what lulzsec has been up to and more importantly trying to wrap my mind around who they are and what they're about in wanting to see about taking them out like I used to do in the BOClean days.

    What amazed me the most though was how *easy* it was to amass enough information to identify many of those involved in lulzsec and their history. It almost became anticlimactic in that I had pretty much pinned it down in less than four hours of googling. And from that, my wonder turned from who these people are to why they're continuing their rampage in the face of professional spooks that should have taken them out quite a while ago. Even more disturbing is that a number of the people involved have already been arrested before and are apparently "double agents." Therefore, what I'm going to do is publish just a little of what I've encountered for folks here to play with and confirm or deny to me after your own "investigation" if this whole thing doesn't smell mighty fishy.

    So here's the players for you to google, and I'll toss in a few interesting little morsels of some captured chats. I'm sure folks already know about lulzsec.com ( http://lulzsecurity.com/ ) site and their @LulzSec twitter site ( http://twitter.com/#!/lulzsec ) ... no secrets there. The participants however are worth a google, and I'm going to toss some names and keywords out for you to go hunting ... but first, the culprits:

    Topiary (already arrested and known to Law Enforcement)
    Corey Barnhill -aka (Kayla)
    Hector Xavier Montsegur -aka Xavier de Leon -aka (Sabu)
    Chris Ellison -aka (Avunit)
    Soloman Saleh -aka (Tflow)

    First google stop for the lulz is "topiary barrett brown" ... "topiary" in particular is an interesting character who was involved in the HB Gary episode and apparently the paymaster for lulzsec as this interesting snippet of log shows:

    http://lulzsecexposed.blogspot.com/

    Some additional interesting reading here on the Barret Brown side and how the media circus is going: Keywords for google: "Gregg Housh marblecake"

    Story on the breakup between "anonymous" and "lulzsec here: http://www.neogaf.com/forum/showthread.php?t=434234

    Here's "Jester's" information on the drama: http://th3j35t3r.wordpress.com/2011..._source=Jesters Court Blog&utm_medium=twitter

    More drama from seclists: http://seclists.org/fulldisclosure/2011/Jun/75

    Some theory on it all from reddit: http://www.reddit.com/r/4chan/comments/i0fim/lulzsec_pretty_well_documented_theory/

    ---

    So follow the players, unfortunately my local captures of more drama snatched from twitter and other sources have vanished, but if you encounter 404's searching on google, those google caches are your friend. But once again, I warn heavily that a lot of the sites that show up should NOT be viewed on a Windows box. I use KNOS and so all the nasties that tried to download failed. Be careful! I'll try to post more of what I've encountered if I must, but it would be more interesting to people here if others look over the evidence and offer their own little morsels for everyone to enjoy. These skiddies are interesting even if they're just skiddies.

    MY question though is that since all of these players are well known and it appears quite clear that the players are known to law enforcement and they've been infiltrated for a while, WTF?
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Windows isn't insecure if you set it up right. Even without third-party software, AppLocker/SRP, SUA/LUA, UAC, etc will protect you from those nasties just fine. Also Windows PE is pretty much invulnerable.

    As for LulzSec, they don't interest me that much.
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Kevin McAleavey

    Thanks for posting :thumb:

    Actually i am interested in their True modus operandi. Either they are all idiots, with tools, or they believe they won't Ever get caught ? Of course just believing is NO guarantee, so it makes me wonder what the real deal is !

    I see they are registered in Nassau Bahamas via CloudFlare Inc in San Francisco
    USA.

    I'm "presuming" they haven't paid for any/all services with traceable ID's etc.

    If the recent news that they have been infiltrated is correct, i expect we'll see a slowdown of hacks/attacks etc !

    Quite honestly, i don't mind hearing/reading about Companies/Gov/Mil/Organisations etc etc that are "supposed" to have savvy IT etc people & big $ equipment protecting them, but STILL get hacked :D It just shows how stupid & incompetent they really are. Plus when we get to find out about bad etc things that are done in our name with Our tax $ by "legalised" protected crooks, i Love it :) Bring it on :thumb:

    However with the targets they keep choosing to go for, they are really asking "for IT" & i expect they will get IT. in more ways than one.

    If you discover ANY more info etc about Any of this, please post :thumb:
     
  4. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I'm wondering if Lulzsec consists of the "rogue" members of Anon. It's well known that Anon long ago broke off into sections, though they were never truly a group to begin with. Lulzsec is doing the same idiotic things a section of Anon does, which is go after whoever ticks them off on a given day. Also, to be "fighting" each other a few days ago, and then say "well, we're joining forces with Anon", makes absolutely no sense. My gut tells me Lulzsec is a splinter off of the idiot section of Anon (a.k.a the "chan" kids), and they're trying to puff out their chests by giving themselves a bigger name and trying to put a bit more fear out there with the thought of a "supergroup" of sorts.

    The main people behind Anon, are not this random, and they don't give two ~Phrase removed~ about gaming companies. Lulzsec seems almost desperate, they have this "look at me" thing going on, which is what will bring their world crashing down.
     
    Last edited by a moderator: Jun 20, 2011
  5. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    I dug into it primarily on a lark since I've been watching 4chan since around 2005'ish, and its reputation ... well ... heh. "Anon" and the lulzsec kids might visit there, but that place lost its luster for them years ago and they moved on to their own little "anonops" IRC and such. As to their "MO" it's just a bunch of malcontents hanging out in mom's basement trying to impress each other with how leet they are. Heh. This kinda stuff went on in the early 90's with BBS' as well. Just another dumb hacker movie in my book with some serious consequences yet to be felt.

    I've pretty much thrown out all the tidbits that were worth following - as the drama continues, the names of the players are in the OP and along with lulzsec, google and their twitter should keep those curious abreast of their meatsword swingings. I thought folks here and over at DSLR might be interested in knowing who some of these characters are, and where to look for those curious about them. Beyond that, not terribly interesting anymore now that I know what they're about ... somebody would have to pay me to care further since they won't be getting into any of our stuff. (grin)
     
  6. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    I saw some of the drama back and forth while searching - the club known as "anon" had a breakup over targeting and activities, and lulzsec is best called a "splinter group" of some of the former usual suspects. But yeah, they can haz ion cannon and they figured out which end to point. Analysis of their attacks aren't terribly impressive at all, they merely managed to find major corporations and institutions who hired bigger slackers than THEY are. :)

    If nothing else though, they're certainly showing the quality of geeks that corporations are offshoring. :(
     
  7. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Aw geez ... here we go. :)

    "Anon" and lulzsec have kissed, made up and produced an offspring. "Antisec."

    http://twitter.com/#!/search?q=%23AntiSec

    Word came from lulz' twitter here:

    http://twitter.com/#!/lulzsec

    Story here, and plenty of other reports:

    http://www.csmonitor.com/Innovation...nd-Anonymous-team-up-plan-digital-destruction

    http://www.pcmag.com/article2/0,2817,2387319,00.asp

    They've gone after the UK's SOCA. So looks like the media is going to keep feeding the lulz, not much need for me to continue posting then. They have SEEN the media, they like it, and I'm getting off the stage before somebody yells "incoming!" Heh.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  9. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  10. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
  11. jasonblake7

    jasonblake7 Registered Member

    Joined:
    Aug 19, 2008
    Posts:
    70
    quoting from their irc channel.

    <dotC> anonesc esc
    <dotC> "The good news everybody: Ryan has little to do with #LulzSec besides running IRC. All 6 members of @LulzSec are fine and safe." #AntiSec
     
  12. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    - Interesting tidbit from Dutch 'Tweakers.net' member Power2All0wnzj0, on the arrest in the UK. link.
    (To be honest, member Power2All0wnzj0 doesn't/didn't like Ryan Cleary too much for DDoS'ing his IRC server).
    My Dutch->English translation below and a Google Translate link

    'Ryan Cleary hosted lulzco.org, which was actually his rebuild of EncyclopediaDramatica.ch IRC server.
    Ryan was ex-AnonOps staff, after he went 'rage' and tried to kick out all old Anonops staff members.
    This failed and that's why he went on board LulzSec.

    Ryan was active with Minecraft for a long time, but well, I'm glad he's gone.
    Dangerous guy who 'flattened' 2 datacenters and PSN with his DDoS bots.
    He had a bunch; 800.000.
    '

    - Some personal info on Ryan Cleary available on TheTechGame forum link

    - LulzSecExposed.blogspot.com mentions LulzSec leader Sabu has been Doxed; Profession - Webmaster, Designer and Coder, Age - 34 link

    - IRC chat log on Pastebin; discussion on LulzSec leader Sabu identity link
     
    Last edited: Jun 22, 2011
  13. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    An interesting group named "backtrace security" published the official program for the players. I kinda get a kick out of the name "backtrace" since there was some drama on 4chan about a kid and her dad involving "cyberpolice" and "backtracing" and so the irony fits in its own little "anon" bizarre way. Hopefully I can attach a perfectly safe PDF file here which identifies the players, who they are and WHERE they are. This information was already given to the authorities a couple of days ago so it's safe to publish now after the appropriate delay ...

    Aw QWAP ... no PDF attaches allowed, so I'll have to link to the PDF spreadsheet on scribd, so you can view it there instead. :(

    http://www.scribd.com/doc/55381908/namshub
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    So what's the latest in simple terms? Has this been shut down?
     
  15. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
    Still going. :(

    Brasil took it in the ear bigtime several hours ago and the kids are still raging with even more footsoldiers at their disposal. UK arrested one kid who merely ran an IRC server that they were using. Authorities claim that they have the kid on other items, but lulz is still going.

    I'm currently working on an article for admins which I will hopefully publish tomorrow outlining specific steps and tools which can be used to protect sites that haven't been hit. The more I've been looking into this, the more amazed I am at how absolutely AWFUL the state of "security professionals" is these days as I dig deeper. Meanwhile I'm technically unemployed. There is NO excuse for these sites getting hit now that I've seen their actual "tools." I have lost what little "awe" I had for their techniques. That they're getting over at all is just plain sad. :(
     
  16. jasonblake7

    jasonblake7 Registered Member

    Joined:
    Aug 19, 2008
    Posts:
    70
    Looking forward to seeing your published article Kevin.
     
  17. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  18. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    Their time is coming. The more "footsoldiers" you have, the more likely one of the little piggies is gonna squeal, plus they love the media too much. In reality, they're wannabes, but they are good for one thing, which is exposing how dire the security situation is around the world. These companies actually need a little egg on their face, it's just sad that it had to happen via a group of pathetic little losers with automated programs and other hacker 101 techniques.
     
  19. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Lulzsec have made their next release just about an hour ago: This time they've released the names, addresses, email accounts and passwords of several members of Arizona Law Enforcement agencies. The release also included a directory listing of their own local machine, which implied from filenames that sensitive documents had been lifted from the Arizona Law Enforcement Agencies in question. Apparently an illicit torrent is being distributed that contains all of these files. Lulzsec are promising a further release of more documents over the next days, starting with Monday.

    Right now I can't find a link to a news story, because this is so fresh. Forgive me for not posting a link, but the only link to post would be to the leak itself, and I don't want to do that. Here's their header for the release:

    Lulzsec are truly thumbing their nose at the government at this point. This release promises to be extremely dangerous to law enforcement agents undercover. If the details they have, and release, are actually what they claim, then they'll be exposing Law Enforcement agents who have infiltrated gangs. I would surmise their time is growing more limited, what with all the exposure they've garnered, getting the government involved, and angering other hackers (some of whom have released the personal details of Lulzsec already).

    Edit: There's now a story about this at Boing Boing.
     
    Last edited: Jun 23, 2011
  20. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
  21. Kevin McAleavey

    Kevin McAleavey Security Expert

    Joined:
    Dec 8, 2003
    Posts:
    376
    Location:
    Upstate New York
  22. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  23. BG

    BG Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    214
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    So at least one UK member of the Lulz crew doesn't know to stay Anon :D It didn't take long for the law to go knocking on "his" parents door. Or maybe they smashed it in ? According to "reports" he spent most of his days on the comp & was "supposed" to have lots of expertise as it was his life. I would have expected him to know the score & cover his tracks etc, obviously not ! So how many more will now come unstuck i wonder, whether directly and/or indirectly from this ?

    @ Kevin McAleavey

    Thanks for the updates etc :thumb:

    That Havij1.15Free is an "Interesting" tool :D Please see my PM about other such tools ;)
     
  25. Dermot7

    Dermot7 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    3,196
    Location:
    Surrey, England.
Thread Status:
Not open for further replies.