Attacks/Breaches
8/31/2012
10:51 AM
Connect Directly
RSS
E-Mail
50%
50%

Accused LulzSec Hackers Attended College Together

The two students accused of Sony Pictures hack participated in Cyber Defense Competition team exercises at the University of Advanced Technology in Arizona.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Two men who've been arrested on charges that they hacked into the website of Sony Pictures Entertainment and posted stolen data studied together at the same university, and they also participated on the university's team for the Cyber Defense Competition held in March 2011, according to a former co-captain of the team.

The attack against the Sony Pictures Entertainment website and subsequent data leakage was carried out under the banner of LulzSec--a.k.a. Lulz Security--between May 27 and June 2, 2011, by hackers using the handles "Recursion" and "Neuron." According to court documents, the attackers used a VPN service in an attempt to mask their activities, and later boasted of having compromised the Sony website by using a single SQL-injection attack.

An indictment unsealed in September 2011 charged Cody Kretsinger, then 23, with being Recursion. After entering a not-guilty plea, Kretsinger pled guilty to all of the charges against him, and is due to be sentenced on October 25.

This week, meanwhile, the FBI announced the arrest of Raynaldo Rivera, 20, after he was recently indicted by a federal grand jury on charges of conspiracy and the unauthorized impairment of a protected computer. The indictment accused him of being Neuron, and singled him out for having posted part of the customer data stolen from the Sony website.

[ Want to hear top execs from Google, Ford, P&G, General Motors, and SAP discuss enterprise innovation? Join us at the IW 500 Conference Sept. 9 to 11. ]

Both men were arrested in Phoenix, and it turns out that at the time of the attacks against Sony, both men were students at University of Advancing Technology (UAT) in Tempe, Ariz., and either members of--or practiced with--the UAT team that competed in the three-day Western Regional Collegiate Cyber Defense Competition in March 2011.

UAT didn't immediately respond to a request for comment, emailed outside of working hours, on Rivera's connection with the university. But according to news reports, Kretsinger began pursuing a network-security degree at UAT in August 210, and in July 2011 was named as student of the month, saying that "a job with the NSA or Department of Defense is my ultimate dream."

According to Steve Durham--who uses the handle "Yawg"--and who co-captained the 2011 Collegiate Cyber Defense Competition team with the university, Kretsinger was the team's Cisco administrator, while Rivera volunteered as a member of the Red team against which the university's team practiced.

According to a news story about the 2011 Cyber Defense Competition published on the UAT website, the school's 11-strong team placed third out of six universities, and while at the conference students enjoyed "face-time with network security professionals from companies like Boeing, CIA and BlackBag Technologies for potential jobs and internships."

At the competition, team members "acted as a Blue team to restore services to a fictional, vulnerable enterprise--in this case, the United States Security and Exchange Commission," according to the UAT story. "Contestants had computers and network equipment at their disposal to create a backup data response center to protect data and reestablish communications and IT services."

Meanwhile, the Blue team was directly challenged by "network attacks from Red team cyber terrorists and theoretical physical threats," it said. "The students worked around the clock to counter hacker threats--including an undetected programmed script that changed passwords--and reintroduce components like email amenities via injections. Teams were judged based on their timeliness to solve problems."

To be clear, Durham said he has no idea that Kretsinger or Rivera might be committing any illegal activities. "I mean, I had a good idea that they did things like this for fun (I cannot confirm or deny that a majority of netsec students everywhere, not just [at] UAT, partake in activities like this on some level), but never imagined it would be something this big," he said via email.

(In a follow-up comment after this story was published, Durham wanted to be clear that he wasn't suggesting that such behavior was condoned or acceptable. "I am no way insinuating that netsec students perform illegal activities like this for fun," he said via email. "There are a plethora of legitimate places to practice and toy with SQL injections and other hacking methodologies in an open manner [such as] www.hackthissite.org.")

Between January and May 2011, Durham said he and Kretsinger "talked about things like SQL injection, proxies, exploits and social engineering when we took our smoke breaks (as far as I can recall it was just Cody and I smoking while the red team we practiced with would join us)."

Meanwhile, in a screen grab of a Facebook page shared by Durham, Rivera introduced himself to the UAT Network Security Students group on October 19, 2010, with the following message: "O hi im Royal and im a addict. Im probably going to be the first one arrested at uat for computer related crimes."

"Looks like he was off by one," said Durham.

InformationWeek has published a report on backing up VM disk files and building a resilient infrastructure that can tolerate hardware and software failures. After all, what's the point of constructing a virtualized infrastructure without a plan to keep systems up and running in case of a glitch--or outright disaster? Download our Virtually Protected report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
9/2/2012 | 3:39:24 PM
re: Accused LulzSec Hackers Attended College Together
I will say that I have had several professors in my information security courses tell the class on several occasions that we are to use our powers for good and not evil. I guess these guys didn't have the same professors as I did. They should have realized that once you out something out there in the web it can never be taken back, I am referring to comments and bragging. If you are by any means going to commit a crime and then brag and put it openly, expect to get caught and thrown in jail for breaking the law and lacking common sense.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.