Attacks/Breaches
12/14/2012
11:56 AM
50%
50%

How U.K. Police Busted Anonymous Suspect

Operation Payback operators' identities unearthed largely through "social leakage" -- highlighting differences between U.S. and British hacker investigations.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Are U.S. authorities focusing too much on busting low-level hacktivist operators, at the expense of taking down the leading lights?

The difference in style can be seen in the approach that U.K. investigators have taken to prosecuting the ringleaders of Operation Payback, which was the Anonymous-branded attack campaign that targeted businesses, including PayPal and MasterCard, with distributed denial of service (DDoS) attacks for their having blocked payments to WikiLeaks. PayPal said the attacks resulted in losses of £3.5 million ($5.6 million).

According to Ray Massie, a freelance computer forensic and open source training consultant who led Britain's Operation Payback investigation as a detective sergeant with London's Metropolitan Police Service, his team focused on the people who organized the attacks and picked the targets, rather than low-level operators. "We went after organizers and facilitators rather than foot soldiers. U.S. authorities went after a mix," Massie told The Register.

[ For more about busting bad guys based on digital tracks, read How Digital Forensics Detects Insider Theft. ]

By comparison, U.S. authorities have ended up prosecuting a large number of people who downloaded a DDoS tool promoted by some of the leaders of Anonymous, and which attacked targets selected not by the downloader, but by leaders of Anonymous. The DDoS tool in question was known as the Low Orbit Ion Cannon (LOIC), and less advanced LOIC users didn't seem to realize that the tool often coded their IP address into the packets it generated. Many of the attacked organizations recorded these packets and shared them with authorities, who used service providers' subscriber records to identify LOIC users' real identities, then began making arrests.

Of course, U.S. authorities have also busted multiple alleged leaders of the supposedly leaderless Anonymous hacktivist collective, including Sabu -- real name: Hector Xavier Monsegur -- who also served as the leader of LulzSec.

But British authorities have limited their efforts to prosecuting the organizers behind Operation Payback, as highlighted by the case of Northampton, England-based Christopher Wetherhead (aka "Nerdo"), 22. Last week, he was found guilty in Southwark Crown Court of one count of conspiracy to commit unauthorized acts with intent to impair the operation of a computer, in violation of the U.K.'s 1990 Computer Misuse Act.

In his defense, Wetherhead maintained that he only moderated the AnonOps IRC channel. But Scotland Yard's Police Central eCrime Unit had studied numerous Anonymous IRC logs and found nickname (NIC) clues that helped them identify the British leaders of Operation Payback

"In a nutshell we identified Weatherhead via the IRC network," former detective constable Trevor Dickey, who now works in the private sector, told The Register.

"We identified their IRC channels and captured several weeks of chat. During that time we looked at the status of NICs such as admins and operators," he said. "We then did some keyword searching and spent a lot of time looking [at] social leakage. Combining all these elements we then identified the NICs of interest and did open source research on them. Weatherhead was easy to identify as he had been using the NIC of 'Nerdo' for quite some time."

The other suspects likewise were also identified in large part via social-network leakage. "We were able to tie their digital identities to real life identities," Massie told The Register. "Now that the suspects are in their 20s, they are security conscious, but they were using the same nick when they were a kid on gaming forums or elsewhere. They made mistakes."

Prosecutors also found evidence that Wetherhead had contracted for services with bulletproof hosting provider Heihachi in Russia, on behalf of Anonymous. The prosecutor described Heihachi as providing a "safe haven" for cybercriminals.

Thanks to that police digital forensic work, a jury of six men and five women took just two hours to return a guilty verdict against Weatherhead, saying he'd had an "integral role" in the attacks, reported The Guardian.

Three other men -- Jake Alexander Birchall, 18, of Little Neston, Cheshire; Ashley Rhodes, 27, of Bolton Crescent, London; and Peter David Gibson, 24, of Hartlepool, Cleveland -- earlier this year pled guilty to the same charge.

Judge Peter Testar told Wetherhead that he and his co-conspirators might do jail time as a result. All four men are due back in Southwark Crown Court in January 2013 for pre-sentence reports.

Stay ahead of the eCommerce technology curve. Watch our webcast, Next Generation e-Commerce Strategies for B2B Sales and Marketing, to learn the strategies and tactics you can use to more efficiently give your clients what they want, keep them happy and increase sales. Register now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.