Risk
4/18/2012
08:56 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous Hackers Not Smart On Anonymity, Feds Say

For second time recently, authorities arrest an alleged Anonymous member after he shared too many details via social media.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
The FBI announced Monday that it arrested John Anthony Borell III, 21, on charges of participating in two January 2012 Anonymous attacks against police websites in Utah.

Borell was arrested in Ohio on March 20, 2012, and indicted by a federal grand jury on April 4, 2012, on two counts of computer intrusion involving SQL injection attacks. Each count carries a maximum penalty of 10 years in prison and a $250,000 fine.

The first attack involved the Salt Lake City police department website, slcpd.com. The attack caused $33,000 in damages, said the site's administrator. The attacker also released to Pastebin a database dump containing 473 records containing police officers' usernames, hashed passwords, full names, titles, email addresses, and phone numbers.

In the second attack, against the Utah Chiefs of Police Association website, www.utahchiefs.org, the attacker released a list containing the name, email address, and hashed password for 24 Utah chiefs of police. The website administrator, according to the FBI, said the attack had caused $150,000 "in damages accrued in responding to this hacking event."

[ What lessons can IT learn from hacktivists? See Anonymous Vs. DNS System: Lessons For Enterprise IT. ]

Borell, who had been detained at a halfway house in Ohio after his arrest, was arraigned Monday in federal court in Utah. He pled not guilty, according to an Associated Press report.

The case contains an ironic twist for an alleged Anonymous member: authorities said they busted Borell after he failed to properly anonymize his identity. Apparently, it's an Anonymous and LulzSec career hazard, as authorities recently tracked down another alleged CabinCr3w and Anonymous participant, Higinio O. Ochoa III, 30, in Galveston, Texas, after he uploaded iPhone snaps of his bikini-clad girlfriend holding written taunts against the bureau. According to court documents, Ochoa (a.k.a. Anonw0rmer) failed to excise the GPS coordinates stored in the image metadata, which led investigators to the house of his girlfriend in Australia, and on to him.

Meanwhile, LulzSec leader and Anonymous heavyweight Sabu, real name Hector Xavier Monsegur, logged into a chat board just once--or according to some accounts, twice--without disguising his IP address. After that, it was apparently just a matter of time before investigators were able to tie Monsegur to the Sabu handle, and arrest him.

A sealed 29-page complaint against Borell, submitted by FBI special agent Eric Zimmerman on March 16, 2012, and unsealed by the court Monday, details how the FBI tracked down Borell. Notably, the Twitter user @ItsKahuna had taken credit for, and revealed inside knowledge about, both of the attacks against the Utah law enforcement websites, and signed the tweets with hashtags for Anonymous, as well as CabinCr3w.

The bureau sent a search warrant to Twitter on February 17, 2012, requesting information relating to three Twitter accounts: @ItsKahuna, @Anonw0rmer, and @cabincr3w. "On March 2, 2012, Twitter provided information for the above accounts ... [including] IP addresses used by the accounts, all Twitter messages sent using the accounts, direct messages sent to and from the accounts, and basic user information for the accounts, such as the email address that created the account," said Zimmerman in the court documents.

In short order, investigators traced one of the IP addresses used to log into the ItsKahuna Twitter account to a house in Toledo, Ohio. On December 22, 2011, ItsKahuna had tweeted: "Neighbors I thank you for installing a new router today and choosing WEP to protect it. I much appreciate the extra bandwidth for torrents." Zimmerman said that FBI agents conducting surveillance on Borell saw him entering and exiting a residence "approximately 312 feet" away from the residence to which the IP address had been assigned.

According to the complaint, ItsKahuna also sent a direct Twitter message to "anon_cutie" with a link to two photographs of himself, saying, "No one has any idea who I am or what I look like, so lets (sic) keep it that way and NOT share these with anyone mkay :P." The FBI said both photographs matched Borell's driver's license image.

How did ItsKahuna get his start in hacking? In one direct Twitter message, he told "missarahnicole" that "Operation Payback was my first op, then I just started working in things. I've gone by other nicks before but changed when I got doxed," meaning his identity would have been publicly disclosed by others. According to court documents, on February 19, 2002, ItsKahuna also sent this direct Twitter message to "EduardKovacs": "Working On #OpPiggyBank hacking police sites with CabinCr3w lately, I've lost count of how many at this point lulz."

Interestingly, ItsKahuna regularly chatted with "MissAnonFatale," who claimed via Twitter to be engaged with Anonw0rmer, who authorities allege is Ochoa. Accordingly, that would seem to make MissAnonFatale his Australian girlfriend, and in fact in one chat with ItsKahuna, MissAnonFatale talks about how her boyfriend "still needs to get a passport (halfway thru processing) & a visa into Oz."

The bureau said that Borell also lined up with various biographical details that ItsKahanu revealed via Twitter, such as his age, as well as the "Kahuna Pentagon Leak Log" posted to Pastebin, which includes this excerpt from a chat transcript (edited for formatting and grammar) between ItsKahuna and "Presstorm": "I talked to my lawyer, the benefit of having a father as an attorney is I have connections, he will be representing me. He said when the FBI shows up don't tell them anything and give them his card and tell them if they need to talk they should go through him."

In fact, Borell's father is a lawyer based in Toledo, Ohio. He told Ars Technica that he is not representing his son in court, and declined all further comment.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
4/19/2012 | 6:30:01 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
I agree with you there. SQL injection attacks are completely preventable. It's lazy developers who don't go through their code and fix these loose ends prior to releasing it to production.
YMOM100
50%
50%
YMOM100,
User Rank: Apprentice
4/19/2012 | 10:44:30 AM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
And which penalty does the moron get who made the computer system to be vulnerable to an SQL injection attack? That is a weakness that can be entirely prevented and tested for!
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/18/2012 | 8:02:58 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
Interesting point, but I think you're missing the big picture. The people who are *really* good already know this stuff, take appropriate steps, and don't brag about their exploits over Twitter. (Look at the Nortel breach, which took 10 years for someone to spot and stop.)
The people who aren't so good, meanwhile, aren't going to learn their lessons--don't use Twitter to brag about hacking your neighbor's WiFi, after using the same IP to hack into two police department servers--even by reading the court documents used to charge their predecessors, or the wealth of material already in the public domain.
Finally, your Bin Laden example has been debunked as an urban myth.
JSmithy67
50%
50%
JSmithy67,
User Rank: Apprentice
4/18/2012 | 7:05:38 PM
re: Anonymous Hackers Not Smart On Anonymity, Feds Say
So we all know how stupid some Anonymous hackers are now... but how stupid are the law enforcement employees for telling the idiots' associates where they need to better cover their tracks??
This is almost as bad as when Osama Bin Laden ditched the sat phone after a member of Congress told the press we almost had him by tracking it. You'd think we'd at least get some intelligent employees with our tax dollars.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio