Risk
4/18/2012
08:56 AM
50%
50%

Anonymous Hackers Not Smart On Anonymity, Feds Say

For second time recently, authorities arrest an alleged Anonymous member after he shared too many details via social media.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
The FBI announced Monday that it arrested John Anthony Borell III, 21, on charges of participating in two January 2012 Anonymous attacks against police websites in Utah.

Borell was arrested in Ohio on March 20, 2012, and indicted by a federal grand jury on April 4, 2012, on two counts of computer intrusion involving SQL injection attacks. Each count carries a maximum penalty of 10 years in prison and a $250,000 fine.

The first attack involved the Salt Lake City police department website, slcpd.com. The attack caused $33,000 in damages, said the site's administrator. The attacker also released to Pastebin a database dump containing 473 records containing police officers' usernames, hashed passwords, full names, titles, email addresses, and phone numbers.

In the second attack, against the Utah Chiefs of Police Association website, www.utahchiefs.org, the attacker released a list containing the name, email address, and hashed password for 24 Utah chiefs of police. The website administrator, according to the FBI, said the attack had caused $150,000 "in damages accrued in responding to this hacking event."

[ What lessons can IT learn from hacktivists? See Anonymous Vs. DNS System: Lessons For Enterprise IT. ]

Borell, who had been detained at a halfway house in Ohio after his arrest, was arraigned Monday in federal court in Utah. He pled not guilty, according to an Associated Press report.

The case contains an ironic twist for an alleged Anonymous member: authorities said they busted Borell after he failed to properly anonymize his identity. Apparently, it's an Anonymous and LulzSec career hazard, as authorities recently tracked down another alleged CabinCr3w and Anonymous participant, Higinio O. Ochoa III, 30, in Galveston, Texas, after he uploaded iPhone snaps of his bikini-clad girlfriend holding written taunts against the bureau. According to court documents, Ochoa (a.k.a. Anonw0rmer) failed to excise the GPS coordinates stored in the image metadata, which led investigators to the house of his girlfriend in Australia, and on to him.

Meanwhile, LulzSec leader and Anonymous heavyweight Sabu, real name Hector Xavier Monsegur, logged into a chat board just once--or according to some accounts, twice--without disguising his IP address. After that, it was apparently just a matter of time before investigators were able to tie Monsegur to the Sabu handle, and arrest him.

A sealed 29-page complaint against Borell, submitted by FBI special agent Eric Zimmerman on March 16, 2012, and unsealed by the court Monday, details how the FBI tracked down Borell. Notably, the Twitter user @ItsKahuna had taken credit for, and revealed inside knowledge about, both of the attacks against the Utah law enforcement websites, and signed the tweets with hashtags for Anonymous, as well as CabinCr3w.

The bureau sent a search warrant to Twitter on February 17, 2012, requesting information relating to three Twitter accounts: @ItsKahuna, @Anonw0rmer, and @cabincr3w. "On March 2, 2012, Twitter provided information for the above accounts ... [including] IP addresses used by the accounts, all Twitter messages sent using the accounts, direct messages sent to and from the accounts, and basic user information for the accounts, such as the email address that created the account," said Zimmerman in the court documents.

In short order, investigators traced one of the IP addresses used to log into the ItsKahuna Twitter account to a house in Toledo, Ohio. On December 22, 2011, ItsKahuna had tweeted: "Neighbors I thank you for installing a new router today and choosing WEP to protect it. I much appreciate the extra bandwidth for torrents." Zimmerman said that FBI agents conducting surveillance on Borell saw him entering and exiting a residence "approximately 312 feet" away from the residence to which the IP address had been assigned.

According to the complaint, ItsKahuna also sent a direct Twitter message to "anon_cutie" with a link to two photographs of himself, saying, "No one has any idea who I am or what I look like, so lets (sic) keep it that way and NOT share these with anyone mkay :P." The FBI said both photographs matched Borell's driver's license image.

How did ItsKahuna get his start in hacking? In one direct Twitter message, he told "missarahnicole" that "Operation Payback was my first op, then I just started working in things. I've gone by other nicks before but changed when I got doxed," meaning his identity would have been publicly disclosed by others. According to court documents, on February 19, 2002, ItsKahuna also sent this direct Twitter message to "EduardKovacs": "Working On #OpPiggyBank hacking police sites with CabinCr3w lately, I've lost count of how many at this point lulz."

Interestingly, ItsKahuna regularly chatted with "MissAnonFatale," who claimed via Twitter to be engaged with Anonw0rmer, who authorities allege is Ochoa. Accordingly, that would seem to make MissAnonFatale his Australian girlfriend, and in fact in one chat with ItsKahuna, MissAnonFatale talks about how her boyfriend "still needs to get a passport (halfway thru processing) & a visa into Oz."

The bureau said that Borell also lined up with various biographical details that ItsKahanu revealed via Twitter, such as his age, as well as the "Kahuna Pentagon Leak Log" posted to Pastebin, which includes this excerpt from a chat transcript (edited for formatting and grammar) between ItsKahuna and "Presstorm": "I talked to my lawyer, the benefit of having a father as an attorney is I have connections, he will be representing me. He said when the FBI shows up don't tell them anything and give them his card and tell them if they need to talk they should go through him."

In fact, Borell's father is a lawyer based in Toledo, Ohio. He told Ars Technica that he is not representing his son in court, and declined all further comment.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
4/19/2012 | 6:30:01 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
I agree with you there. SQL injection attacks are completely preventable. It's lazy developers who don't go through their code and fix these loose ends prior to releasing it to production.
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
4/19/2012 | 10:44:30 AM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
And which penalty does the moron get who made the computer system to be vulnerable to an SQL injection attack? That is a weakness that can be entirely prevented and tested for!
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/18/2012 | 8:02:58 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
Interesting point, but I think you're missing the big picture. The people who are *really* good already know this stuff, take appropriate steps, and don't brag about their exploits over Twitter. (Look at the Nortel breach, which took 10 years for someone to spot and stop.)
The people who aren't so good, meanwhile, aren't going to learn their lessons--don't use Twitter to brag about hacking your neighbor's WiFi, after using the same IP to hack into two police department servers--even by reading the court documents used to charge their predecessors, or the wealth of material already in the public domain.
Finally, your Bin Laden example has been debunked as an urban myth.
JSmithy67
50%
50%
JSmithy67,
User Rank: Apprentice
4/18/2012 | 7:05:38 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
So we all know how stupid some Anonymous hackers are now... but how stupid are the law enforcement employees for telling the idiots' associates where they need to better cover their tracks??
This is almost as bad as when Osama Bin Laden ditched the sat phone after a member of Congress told the press we almost had him by tracking it. You'd think we'd at least get some intelligent employees with our tax dollars.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2004-2771
Published: 2014-12-24
The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVE-2014-3569
Published: 2014-12-24
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshak...

CVE-2014-4322
Published: 2014-12-24
drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or c...

CVE-2014-6132
Published: 2014-12-24
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML vi...

CVE-2014-6153
Published: 2014-12-24
The Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.