Attacks/Breaches
8/31/2012
10:51 AM
Connect Directly
RSS
E-Mail
50%
50%

Accused LulzSec Hackers Attended College Together

The two students accused of Sony Pictures hack participated in Cyber Defense Competition team exercises at the University of Advanced Technology in Arizona.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Two men who've been arrested on charges that they hacked into the website of Sony Pictures Entertainment and posted stolen data studied together at the same university, and they also participated on the university's team for the Cyber Defense Competition held in March 2011, according to a former co-captain of the team.

The attack against the Sony Pictures Entertainment website and subsequent data leakage was carried out under the banner of LulzSec--a.k.a. Lulz Security--between May 27 and June 2, 2011, by hackers using the handles "Recursion" and "Neuron." According to court documents, the attackers used a VPN service in an attempt to mask their activities, and later boasted of having compromised the Sony website by using a single SQL-injection attack.

An indictment unsealed in September 2011 charged Cody Kretsinger, then 23, with being Recursion. After entering a not-guilty plea, Kretsinger pled guilty to all of the charges against him, and is due to be sentenced on October 25.

This week, meanwhile, the FBI announced the arrest of Raynaldo Rivera, 20, after he was recently indicted by a federal grand jury on charges of conspiracy and the unauthorized impairment of a protected computer. The indictment accused him of being Neuron, and singled him out for having posted part of the customer data stolen from the Sony website.

[ Want to hear top execs from Google, Ford, P&G, General Motors, and SAP discuss enterprise innovation? Join us at the IW 500 Conference Sept. 9 to 11. ]

Both men were arrested in Phoenix, and it turns out that at the time of the attacks against Sony, both men were students at University of Advancing Technology (UAT) in Tempe, Ariz., and either members of--or practiced with--the UAT team that competed in the three-day Western Regional Collegiate Cyber Defense Competition in March 2011.

UAT didn't immediately respond to a request for comment, emailed outside of working hours, on Rivera's connection with the university. But according to news reports, Kretsinger began pursuing a network-security degree at UAT in August 210, and in July 2011 was named as student of the month, saying that "a job with the NSA or Department of Defense is my ultimate dream."

According to Steve Durham--who uses the handle "Yawg"--and who co-captained the 2011 Collegiate Cyber Defense Competition team with the university, Kretsinger was the team's Cisco administrator, while Rivera volunteered as a member of the Red team against which the university's team practiced.

According to a news story about the 2011 Cyber Defense Competition published on the UAT website, the school's 11-strong team placed third out of six universities, and while at the conference students enjoyed "face-time with network security professionals from companies like Boeing, CIA and BlackBag Technologies for potential jobs and internships."

At the competition, team members "acted as a Blue team to restore services to a fictional, vulnerable enterprise--in this case, the United States Security and Exchange Commission," according to the UAT story. "Contestants had computers and network equipment at their disposal to create a backup data response center to protect data and reestablish communications and IT services."

Meanwhile, the Blue team was directly challenged by "network attacks from Red team cyber terrorists and theoretical physical threats," it said. "The students worked around the clock to counter hacker threats--including an undetected programmed script that changed passwords--and reintroduce components like email amenities via injections. Teams were judged based on their timeliness to solve problems."

To be clear, Durham said he has no idea that Kretsinger or Rivera might be committing any illegal activities. "I mean, I had a good idea that they did things like this for fun (I cannot confirm or deny that a majority of netsec students everywhere, not just [at] UAT, partake in activities like this on some level), but never imagined it would be something this big," he said via email.

(In a follow-up comment after this story was published, Durham wanted to be clear that he wasn't suggesting that such behavior was condoned or acceptable. "I am no way insinuating that netsec students perform illegal activities like this for fun," he said via email. "There are a plethora of legitimate places to practice and toy with SQL injections and other hacking methodologies in an open manner [such as] www.hackthissite.org.")

Between January and May 2011, Durham said he and Kretsinger "talked about things like SQL injection, proxies, exploits and social engineering when we took our smoke breaks (as far as I can recall it was just Cody and I smoking while the red team we practiced with would join us)."

Meanwhile, in a screen grab of a Facebook page shared by Durham, Rivera introduced himself to the UAT Network Security Students group on October 19, 2010, with the following message: "O hi im Royal and im a addict. Im probably going to be the first one arrested at uat for computer related crimes."

"Looks like he was off by one," said Durham.

InformationWeek has published a report on backing up VM disk files and building a resilient infrastructure that can tolerate hardware and software failures. After all, what's the point of constructing a virtualized infrastructure without a plan to keep systems up and running in case of a glitch--or outright disaster? Download our Virtually Protected report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
9/2/2012 | 3:39:24 PM
re: Accused LulzSec Hackers Attended College Together
I will say that I have had several professors in my information security courses tell the class on several occasions that we are to use our powers for good and not evil. I guess these guys didn't have the same professors as I did. They should have realized that once you out something out there in the web it can never be taken back, I am referring to comments and bragging. If you are by any means going to commit a crime and then brag and put it openly, expect to get caught and thrown in jail for breaking the law and lacking common sense.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio