Last month, we reported how a conference call, between the FBI and Scotland Yard, discussing their investigation into Anonymous hackers had been secretly recorded by the hacking collective and published on the net.
We surmised at the time that the unknown hackers might have secretly accessed the call by compromising a police investigator’s email account, as the call-in details and passcode were posted by Anonymous on their usual dumping ground – the PasteBin website.
Yesterday’s announcement by the FBI about the prominent LulzSec hacker Sabu, and other alleged hacktivists, has revealed more details about what actually happened.
According to an FBI press release, a Garda (Irish police) officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account.
Unfortunately, that personal email account was compromised by a hacker.MORE
A number of websites associated with US police have been compromised by AntiSec hackers in apparent support of the “Occupy” demonstrations.
One of the sites targeted was the Boston Police Patrolmen’s Association (BPPA), which suffered a hack which resulted in the release of a thousand usernames and passwords. An obvious danger is that staff may be using the same username/password combinations on other sites – such as their email accounts or Facebook.
In addition, the AntiSec movement claimed in an online press release to be publishing more than 600MB of data stolen from the International Association of Chief of Police (IACP) website, including names and addresses, passwords and internal documents.
Names, addresses, phone numbers and social security numbers for police officers in Alabama have also been exposed, and a contact database associated with employees and clients of the internet company Matrix Group made public. Read the rest of this entry »
Anonymous continued their crusade against governments and organizations this weekend, attacking the myBART.org website belonging to San Francisco’s BART (Bay Area Rapid Transit) system.
They performed a SQL injection (SQLi) attack against the site and were able to extract more than 2,000 records containing names, usernames, passwords (plain text), emails, phone numbers, addresses and zip codes.
They also defaced the website with Guy Fawkes masks, which BART has yet to remove more than four hours later.
While it is understandable that people are upset with BART after the recent blocking of cell phone communications to prevent protesters from organizing, it is puzzling to me how exposing thousands of innocent people’s personal information hurts BART more than it hurts transit users.
Users of rapid transit are certainly not the problem, and this simply takes a bad situation and makes it worse by creating even more victims.
During my interview about the incident with KCBS radio in San Francisco this afternoon, I was asked what people can do to protect themselves against these types of attacks. What an interesting question…
The best approach is to not provide your personal information where it isn’t needed and make sure you always use a unique password for every website, regardless of how unimportant you think the site may be.
If you are a user of myBART.org, I recommend changing your passwords anywhere you might have used the same password. Aside from that, there is little you can do now that your information has been published.
Website admins, if you are still storing passwords in plain text and haven’t examined your web site for SQL injection vulnerabilities, even after the attacks against Sony, I highly recommend doing so. This is not a list you want your site to be added to.
A 19-year old man has been arrested by British police in Shetland, UK, under suspicion of launching hacking attacks against a number of websites.
Officers from the Metropolitan Police Service’s Police Central e-Crime Unit (PCeU) arrested the man as part of an international investigation into the activities of the Anonymous and LulzSec hacktivist groups.
The man, who was arrested at a residential address in Shetland, is said to have used the online nickname “Topiary” and acted as a spokesperson for the groups via forums such as Twitter.
The suspected hacker is currently being transported to a central London police station, and a search is taking place at his home.
“Topiary” has been identified in the past as having a leading role in hactivist attacks launched by the LulzSec and Anonymous groups.
In a related police operation, officers are searching a residential address in Lincolnshire where a 17-year-old male is being interviewed under caution in connection with the inquiry. He has not been arrested.
The truth is that LulzSec and other hacktivist groups have recently been playing an extremely dangerous game – taunting the likes of the FBI and British police with a series of hacks and attacks and believing themselves to be invincible.
If the arrested man is indeed a key member of the LulzSec gang, it could be the British police who have the last laugh.
Interestingly, Topiary deleted all the messages he had previously posted on Twitter recently, replacing them with a simple message:
"You cannot arrest an idea"
Is it possible he saw the writing on the wall?
Just last week, the UK’s PCeU arrested a 16-year-old youth – believed to be the LulzSec/Anonymous hacker known as “T-Flow” – in South London, on suspicion of breaching the Computer Misuse Act. Other arrests took place at the same time in the United States and the Netherlands.
Anonymous, the loosely-knit hacktivist collective, is claiming to have got its hands on 8GB of “secret documents” from CNAIPIC, Italy’s cybercrime unit responsible for protecting the country’s critical IT infrastructure.
If it’s true that security at CNAIPIC has been breached by hackers, that would be a genuine concern as the group works with intelligence agencies around the world.
An Anonymous Twitter account announced the data breach, and links were posted up on Pastebin pointing to a selection of the stolen files, which included information related to various government departments around the world, including the US Department of Agriculture and Australia’s Ministry of Defence.
Documents about a number of private firms also appear to be included in the haul, which was claimed by The Legion of Anonymous Doom who are presumed to be a subgroup of Anonymous.
A message posted on the internet in poorly-written English claimed that there would be more information and files released in due course:
"This is a prerelease of a series we are going to make to reveal the biggest in history of European LE cyber operation Evidence exploitation and abuse. Thing's gonna get published and twittered all over anonymous and lulzsec community."
A screenshot of a list of all the files that had been compromised was posted on the internet, and included in a news report by The Hacker News. A small portion of it is reproduced below.
So, why is Anonymous apparently targeting the Italian cybercrime authorities?
Well, earlier this month, Italian police searched dozens of houses and charged suspects, in an investigation into the Italian branch of Anonymous – which is suspected of hitting government, business and media websites with denial-of-service attacks.
Inevitably there will be speculation that this is a counter-attack against the Italian authorities following the arrests.
In the early hours of this morning, the FBI executed search warrants at to gather evidence at the homes of alleged members of the Anonymous hacktivist group.
According to a Fox News report, two homes in Long Island, New York, and one in Brooklyn, were searched by FBI agents looking for evidence that computers at the addresses had been used in distributed denial-of-service (DDoS) attacks against a number of websites.
Computer equipment is said to have been removed from the home of Giordani Jordan in Baldwin, Long Island by FBI agents.
In recent months, a number of high profile websites (including those belonging to Mastercard, Visa and the Recording Industry Association of America) were blasted off the internet in a series of DDoS attacks, with different computers scattered across the world deployed to bombard targeted sites with traffic using a tool called LOIC.
However, the Low Orbit Ion Cannon (LOIC) tool doesn’t do a very good job of covering the tracks of attackers – making it potentially easy for computer crime authorities to track those behind the attacks.
The raids in New York followed just hours after hackers launched an attack against The Sun newspaper, redirecting visitors to a false news story that News Corporation CEO Rupert Murdoch had been found dead.
Facilitating or conducting a DDoS attack is illegal in many countries around the world, and in the United States is punishable by up to 10 years in prison and considerable fines.
The Anonymous hacktivist group has announced that it will launch its very own social network, to be called AnonPlus, after accounts it held with Google+ were suspended for violating terms and conditions.
Google+ has recently been enforcing a policy of shutting down profiles which contain fake names or those that represent organisations rather than individuals, so it’s not exactly surprising to see Anonymous-related profiles being zapped.
AnonPlus, Anonymous’s answer to the likes of Google+, is far from ready, however.
A team of 17 Java developers has been announced on the site’s holding page, alongside a manifesto announcing the “new social network where there is no fear of censorship” and “no more oppression”, but it seems that any working infrastructure for AnonPlus is some considerable way off still.
It’s hard not to be cynical about the prospects of a new social network being built from scratch.
Yes, Google – with all the resources it has available – appears to have done a good job with Google+, but surely the chances for a loosely-knit amateur collective like Anonymous who reject organisational constructs, will have a much steeper challenge.
Anyone remember Diaspora? They had the advantages of support from many and even some funding, but they seem to have gone awfully quiet lately, don’t they?
It will be interesting to see if AnonPlus becomes popular if/when it launches with the very people it is intended to help – those who are being prevented by oppressive regimes from sharing information freely and safely with the rest of the world.
The latest attack in the infamous “#antisec” movement targeted Booz Allen Hamilton, a consulting firm who works with the US government. Anonymous claims to have infiltrated an unprotected server and were able to steal a significant amount of data.
They claim to have released email addresses belonging to more than 90,000 US military personnel. While many folks downplay the significance of the attack and say “It’s only email addresses”, these particular email addresses may have more value than it would appear.
If we look back at the high-profile Gmail accounts that were hacked earlier this year, there clearly is demand for information about individuals related to the US defense that can be used to compromise their accounts and computers.
As Mila at Contagio blog wrote about the Gmail attack, the purpose isn’t so much to gain access to the email account itself, but rather to use email as the vehicle through which they can infect the host computer with malware.
The bigger problem for Booz Allen Hamilton is that they stored passwords with these email addresses using only a SHA hash. The passwords are not salted, which will likely lead to the majority of the passwords being exposed.
In addition to the emails, Anonymous claims to have erased 4 gigabytes worth of source code and to have discovered information which could help them attack US government and other contractors systems.
While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military. These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed.
While this isn’t likely to do any good, could I please have the attention of those individuals responsible for collecting user names, passwords and personal information from people? Listening?
Could we please see these hacking attacks as a shot across the bow? Now is the time to secure your data… Encryption is NOT optional. For some helpful advice you may wish to check out our Data Security Toolkit.
15 people, suspected of involvement in the Anonymous hacktivism movement which has launched a series of internet attacks, were arrested earlier this week following raids in Italy and Switzerland.
According to media reports, a 26-year-old Swiss-Italian called “Phre”, based in Canton Ticino, was amongst those detained and charged. It is alleged that “Phre” was a senior member of the group, who approved companies for the hackers to target.
The Italian branch of Anonymous is suspected of bombarding government, business and media websites with denial-of-service attacks, with victims including the Italian senate, energy firm ENI, defence firm Finmeccanica, and financial institution UniCredit.
A total of 32 homes in Italy and Switzerland were searched by police as part of the investigation, with those detained aged between 15 and 28 years of age. Dozens more people are believed to still be being investigated.
A statement published on an Anonymous website, however, played down the significance of the arrests.
The “press release” underlined the lack of structure inside Anonymous, and denied reports that the entire Italian Anonymous network had been dismantled:
Those arrested are not "dangerous hackers" as the media calls them, but people like you. They have been arrested while peacefully protesting for there and your rights. Our protest will continue louder than ever.
The Italian Anonymous have not fallen because of this cowardly attempt to dismantle them and announce consequences for there actions taken by the police, to demonstrate that anonymous is present and fights on, like it did in the past and will in the future, for the freedom of the internet.
I’m not sure those words will be much comfort to those who have been arrested by the Italian authorities. Right now, they may well be reflecting on whether participating in a denial-of-service attack is illegal or not.