Image and video hosting by TinyPic

Tuesday, March 06, 2012

A snitch. A hacker. A mystery. (And now: An update!)

The snitch: Hector Xavier Monsegur (known as Sabu), the de facto leader of the hacking group called LulzSec, has been outed as an FBI informant: See here and here and here.

The Guardian story (first link above) reveals that LulzSec
has been behind a wave of cyber raids against American corporations including Rupert Murdoch's News Corporation, the intelligence consultancy Stratfor, British and American law enforcement bodies, and the Irish political party Fine Gael.
Previous reports on the Stratfor data dump revealed that the hacker collective Anonymous had wormed their way into the cyber-heart of the private intel group. LulzSec is, or was, an offshoot of Anonymous.

A week ago, I suggested that a branch of American intelligence may have been the real author of the great Stratfor leak. Now we have evidence for that scenario, or at least a similar scenario. Anonymous broke into Stratfor late last year, and "Sabu" has been working for the FBI for at least six months. You do the math.

It should also be noted that Anonymous worked with the FBI to take down child porn sites. That was in October of last year.

Gizmodo reveals that others within the hacking community have felt for a while that Monsegur was "turned" last June.

From the Guardian:
A second document shows that Monsegur – styled this time as CW-1 – provided an FBI-owned computer to facilitate the release of 5m emails taken from US security consultancy Stratfor and which are now being published by WikiLeaks. That suggests the FBI may have had an inside track on discussions between Julian Assange of WikiLeaks, and Anonymous, another hacking group, about the leaking of thousands of confidential emails and documents.
An inside track, yes. But the feds did not arrest the Anonymous and LulzSec hackers until after Stratfor was (more or less) turned into a laughing stock. In fact, the FBI provided the server which held the Stratfor data dump.

All in all, I'd say that my paranoid theory doesn't look so paranoid now. I don't think that Friedman, Burton and company find the Bureau quite so laughable these days.

The hacker. Wired notes that one of the people ratted out by Sabu was a fellow named Jeremy Hammond.
Hammond, a member of Anonymous — a group loosely affiliated with LulzSec — is believed to be the main actor behind the hack of U.S. private intelligence company Stratfor in December, which resulted in the seizure of more than 5 million company e-mails, customer credit card numbers and other confidential information. The government said in a court filing that Hammond “used some of the stolen credit card data to make at least $700,000 worth of unauthorized charges.” ...The Stratfor hackers publicly said they were using the cards to make donations to charity, and provided screenshots.
Charity or no charity, playing around with credit cards is incredibly stupid -- so stupid, in fact, as to lead me to wonder if this part of the charge was concocted. For what it is worth, Anonymous sent out a statement to the BBC denying any responsibility for the Stratfor hack.

That denial may be true -- technically.

If I understand matters aright (which ain't no easy task: Hackerland is a complex place), Hammond had headed up his own Anonymous spin-off org called Antisec. Ars Technica offers the most in-depth coverage of the Hammond affair that I've seen so far. (Also see here.) These stories offer excerpts from incriminating IRC chats between Hammond and his hacker compatriots, including Monsegur/"Sabu."

The mystery. It's easy to understand how the feds got hold of the private dialogs with Monsegur -- he was working for Uncle all along. What I don't yet understand are the logs of conversations (mostly about Stratfor) that Hammond had with others in the hacking community.

Hammond used IRC, Internet Relay Chat. While "normal" IRC conversations may be logged by the servers, hipper users (or more paranoid users) may utilize a mode called DCC, which allows one computer to "talk" directly to another computer, with no intermediaries and (in theory) no eavesdroppers. Hammond, who has had several previous encounters with the law, would surely have used DCC for conversations about potentially illegal activities. And keeping a log on his own system would have been idiocy.

Why, then, do we have transcripts of Hammonds' chats with people other than Monsegur?

The answer may be revealed in the actual indictment, which I have not yet read. This story reveals that the FBI had traced Hammond and placed him under observation -- but they could legally trace only the IP addresses Hammond visited.
On March 1, the agents obtained a court order allowing them to use a "pen register/trap and trace" device that could reveal only "addressing information" and not content. In other words, if it worked, agents could see what IP addresses Hammond was visiting, but they would see nothing else.
Okay. So who logged the chats? Offhand, I can think of three scenarios:

1. Monsegur was not the only FBI snitch. (Tellingly, the FBI is hiding the handles of other people chatting with Hammond.)

2. Someone planted a keylogger or other spyware onto Hammond's system.

3. The NSA got involved. The NSA scoops up everything.

Maybe I'm missing something obvious here. Maybe you have a clearer idea than I do as to what really went down. There are many people out there who are wiser than I am about How Hackers Do It. To be frank, I don't want to possess any detailed knowledge of that sort.

If Hammond logged his own incriminating material, he was very foolish.

That said, I do feel sorry for Hammond. Looks to me like the FBI covertly helped him take down Stratfor, a private firm which had developed an arrogant and contemptuous attitude toward the Bureau -- and perhaps toward the entire American intelligence community. Once Stratfor got a much-needed kick in the rear, Hammond became expendable.

Update: This is fascinating news...
Hackers, quite possibly from the government, replaced Anonymous DDOS software available for download with a version that steals passwords.
More here:
In previous attacks, Anonymous hacktivists have shown an affinity for Slowloris, a simple tool for DDoSing websites. The group distributes this software through a how-to guide on Pastebin. On January 20, however, hackers broke into this document and changed the Slowloris download links to a modified version of the software infected with Zeus, a popular Trojan horse.

The infected client still works as expected, however behind the scenes it’s doing much more. Zeus steals passwords as well as other credentials including cookies. The link change occurred around the same time as the raid on Megaupload, Symantec says. Unless Anonymous checked the code behind the document, they would have never known anything changed.
By now, you'd think that someone would have concocted an app that allows one to determine quickly and easily which outside computers are in communication with your system. Firewalls are never informative enough; neither is Task Manager.

Here's an interesting reaction to the hacked version of Slowloris:
Kevin McAleavey, cofounder of the KNOS Project, says he found the malicious link, and agrees in part with Wallis. He believes that the more sophisticated members of Anonymous would not fall for it.

But, he suspects there are plenty who would. "I've always maintained that Anonymous consists of a few slick coders and a cast of thousands of morons," McAleavey says.
Apparently, the hack was detected by most antivirus programs. So keep your system clean, boys and girls. I'm going to go back to my policy of scanning every night.

The gummint may not have inserted the trojan. HBGary or some similar organization might have done the job. The Breitbart-linked hackers who targeted Anthony Weiner (and then made an amusing show of "investigating" their own impersonations) have had a complex -- and only partially adversarial -- relationship with Anonymous.

That's the problem with leaderless rebellions, eh wot?
Really great blog.I'm going to read your other posts. Take care. Keep sharing.
Using nmap, HijackThis, and Wireshark you can keep track of everything that's running on your system and everything that's communicating over open ports.
'The snitch:" should be worm, as in Stuxnet.

I have wondered about a lot of the stupid activity of anonymous, especially the recent CIA hack, that I surmised was a Virginia Farm Boy false flag self-hack. The only alternative I saw was 'anonymous' was comprised of disparate cells, some with anarchists who only want to fuck things up. I am a little confused about Stratfor. Is there any real info there?
Hey, when can I get out of moderation Hell? :>)
OT, sorta.

The musings of another October surprise...

B Franklin
I will start doing checks too. I am now only using one computer for social networks as my work one got some killer thing (lucky I had a back up of 3 months had to do a lot of accounting entry stuff...EAK@) and setting up another system for work. As for some reason people have taken to targeting artists as hackers, which doesn't make sense to me.

Any hoo, nice to see your journalistic scalpel skills at work. :-)
Don't know if my comment made it... :-(

Any hoo, good work! Been visiting but not commenting. :-)
Post a Comment

<< Home

This page is 

powered by Blogger. 

Isn't yours?

Image and video hosting by TinyPic

Image and video hosting by TinyPic