08:56 AM

Anonymous Hackers Not Smart On Anonymity, Feds Say

For second time recently, authorities arrest an alleged Anonymous member after he shared too many details via social media.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
The FBI announced Monday that it arrested John Anthony Borell III, 21, on charges of participating in two January 2012 Anonymous attacks against police websites in Utah.

Borell was arrested in Ohio on March 20, 2012, and indicted by a federal grand jury on April 4, 2012, on two counts of computer intrusion involving SQL injection attacks. Each count carries a maximum penalty of 10 years in prison and a $250,000 fine.

The first attack involved the Salt Lake City police department website, slcpd.com. The attack caused $33,000 in damages, said the site's administrator. The attacker also released to Pastebin a database dump containing 473 records containing police officers' usernames, hashed passwords, full names, titles, email addresses, and phone numbers.

In the second attack, against the Utah Chiefs of Police Association website, www.utahchiefs.org, the attacker released a list containing the name, email address, and hashed password for 24 Utah chiefs of police. The website administrator, according to the FBI, said the attack had caused $150,000 "in damages accrued in responding to this hacking event."

[ What lessons can IT learn from hacktivists? See Anonymous Vs. DNS System: Lessons For Enterprise IT. ]

Borell, who had been detained at a halfway house in Ohio after his arrest, was arraigned Monday in federal court in Utah. He pled not guilty, according to an Associated Press report.

The case contains an ironic twist for an alleged Anonymous member: authorities said they busted Borell after he failed to properly anonymize his identity. Apparently, it's an Anonymous and LulzSec career hazard, as authorities recently tracked down another alleged CabinCr3w and Anonymous participant, Higinio O. Ochoa III, 30, in Galveston, Texas, after he uploaded iPhone snaps of his bikini-clad girlfriend holding written taunts against the bureau. According to court documents, Ochoa (a.k.a. Anonw0rmer) failed to excise the GPS coordinates stored in the image metadata, which led investigators to the house of his girlfriend in Australia, and on to him.

Meanwhile, LulzSec leader and Anonymous heavyweight Sabu, real name Hector Xavier Monsegur, logged into a chat board just once--or according to some accounts, twice--without disguising his IP address. After that, it was apparently just a matter of time before investigators were able to tie Monsegur to the Sabu handle, and arrest him.

A sealed 29-page complaint against Borell, submitted by FBI special agent Eric Zimmerman on March 16, 2012, and unsealed by the court Monday, details how the FBI tracked down Borell. Notably, the Twitter user @ItsKahuna had taken credit for, and revealed inside knowledge about, both of the attacks against the Utah law enforcement websites, and signed the tweets with hashtags for Anonymous, as well as CabinCr3w.

The bureau sent a search warrant to Twitter on February 17, 2012, requesting information relating to three Twitter accounts: @ItsKahuna, @Anonw0rmer, and @cabincr3w. "On March 2, 2012, Twitter provided information for the above accounts ... [including] IP addresses used by the accounts, all Twitter messages sent using the accounts, direct messages sent to and from the accounts, and basic user information for the accounts, such as the email address that created the account," said Zimmerman in the court documents.

In short order, investigators traced one of the IP addresses used to log into the ItsKahuna Twitter account to a house in Toledo, Ohio. On December 22, 2011, ItsKahuna had tweeted: "Neighbors I thank you for installing a new router today and choosing WEP to protect it. I much appreciate the extra bandwidth for torrents." Zimmerman said that FBI agents conducting surveillance on Borell saw him entering and exiting a residence "approximately 312 feet" away from the residence to which the IP address had been assigned.

According to the complaint, ItsKahuna also sent a direct Twitter message to "anon_cutie" with a link to two photographs of himself, saying, "No one has any idea who I am or what I look like, so lets (sic) keep it that way and NOT share these with anyone mkay :P." The FBI said both photographs matched Borell's driver's license image.

How did ItsKahuna get his start in hacking? In one direct Twitter message, he told "missarahnicole" that "Operation Payback was my first op, then I just started working in things. I've gone by other nicks before but changed when I got doxed," meaning his identity would have been publicly disclosed by others. According to court documents, on February 19, 2002, ItsKahuna also sent this direct Twitter message to "EduardKovacs": "Working On #OpPiggyBank hacking police sites with CabinCr3w lately, I've lost count of how many at this point lulz."

Interestingly, ItsKahuna regularly chatted with "MissAnonFatale," who claimed via Twitter to be engaged with Anonw0rmer, who authorities allege is Ochoa. Accordingly, that would seem to make MissAnonFatale his Australian girlfriend, and in fact in one chat with ItsKahuna, MissAnonFatale talks about how her boyfriend "still needs to get a passport (halfway thru processing) & a visa into Oz."

The bureau said that Borell also lined up with various biographical details that ItsKahanu revealed via Twitter, such as his age, as well as the "Kahuna Pentagon Leak Log" posted to Pastebin, which includes this excerpt from a chat transcript (edited for formatting and grammar) between ItsKahuna and "Presstorm": "I talked to my lawyer, the benefit of having a father as an attorney is I have connections, he will be representing me. He said when the FBI shows up don't tell them anything and give them his card and tell them if they need to talk they should go through him."

In fact, Borell's father is a lawyer based in Toledo, Ohio. He told Ars Technica that he is not representing his son in court, and declined all further comment.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/19/2012 | 6:30:01 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
I agree with you there. SQL injection attacks are completely preventable. It's lazy developers who don't go through their code and fix these loose ends prior to releasing it to production.
User Rank: Apprentice
4/19/2012 | 10:44:30 AM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
And which penalty does the moron get who made the computer system to be vulnerable to an SQL injection attack? That is a weakness that can be entirely prevented and tested for!
User Rank: Apprentice
4/18/2012 | 8:02:58 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
Interesting point, but I think you're missing the big picture. The people who are *really* good already know this stuff, take appropriate steps, and don't brag about their exploits over Twitter. (Look at the Nortel breach, which took 10 years for someone to spot and stop.)
The people who aren't so good, meanwhile, aren't going to learn their lessons--don't use Twitter to brag about hacking your neighbor's WiFi, after using the same IP to hack into two police department servers--even by reading the court documents used to charge their predecessors, or the wealth of material already in the public domain.
Finally, your Bin Laden example has been debunked as an urban myth.
User Rank: Apprentice
4/18/2012 | 7:05:38 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
So we all know how stupid some Anonymous hackers are now... but how stupid are the law enforcement employees for telling the idiots' associates where they need to better cover their tracks??
This is almost as bad as when Osama Bin Laden ditched the sat phone after a member of Congress told the press we almost had him by tracking it. You'd think we'd at least get some intelligent employees with our tax dollars.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.