Perimeter
3/22/2012
11:28 AM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Keep Your Friends Close, Especially If They Are Anonymous

Sabu's traitorous ways reminds us of the sage advice to keep your friends close and your enemies closer

Hindsight is 20/20. It must be, since it seems no one was surprised by the big reveal that a main player in LulzSec and Anonymous, a fellow code-named "Sabu," had been working with the FBI and ratted on some of his partners in crime -- except maybe those said partners, as they were being led out of their hovels by federal agents.

Sabu acted to save himself, as it seems someone who outwardly cared about no one did care about the two young girls in his care. Maybe he reduced his sentence a little by cooperating, but I think he'll find his hacking skills relatively useless in the big house. Unless he becomes the sysadmin for the jail for $2.50 an hour. What could go wrong with that?

The other folks arrested will also spend some time in the big house, that much is clear. As Baretta says, "If you can't do the time, don't do the crime."

But there are some instructive lessons here. First, in terms of how they caught Sabu, evidently he forgot to run his session through Tor on a few occasions and the FBI tracked his IP address. From there they got the proper warrants to monitor what he was doing and had him dead to rights. Game over. Security folks complain the bad guys have to be right only once to compromise a system. That is true, but the sad tale of Sabu shows that the bad guys also need to be right every time to not get caught. They can never put their guard down. The FBI is watching. Always.

Ultimately, we learn once again that crime doesn't pay -- especially when the crime isn't financially motivated. They are banking on change, so let's ask the question: Has anything changed from the journeys of the Lulz boat? Maybe, but probably not the change the hacktivists intended. It has definitely been a wake-up call for organizations that they can (and probably will) be attacked in a brazen fashion. Maybe they'll even improve their security programs. Sony? Bueller? Bueller?

Will the turning of Sabu act as a deterrent to the cybervigilantes? If you listen to the rhetoric coming via the Anonymous marketing machine, then probably not as they are talking about the next dox drop and defacing on Twitter as you read this. But I'm not so sure. Seems these folks forgot about basic human nature. The self-preservation gene is strong in humans, as is the need to protect offspring. Every person has a breaking point, and law enforcement seems to be pretty effective at finding it. So there are decent odds that they've turned many other folks within these groups.

Remember, many of these folks don't "really" know each other. Do you think they continue to trust with a jail sentence on the line? That's to be determined, but in the good ol' days if you turned on your partners in crime, then they took it out on your family. There doesn't seem to be a similar retribution model among hacktivists. Not yet, anyway. And we'll also hear about hacktivism is an ideal, not a person or a group.

Some of those folks are questioning with whom they are collaborating. Just as you don't know whether someone on the Internet is a dog, you don't know whether Sabu is really an FBI turncoat. And that sows the seeds of mistrust, which is the death knell of any crime syndicate, formally organized or not. There is one security truism that definitely applies in this case, and that's: "Trust No One." I don't think truer words were ever spoken.

Mike Rothman is President of Securosis and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
herman_munster
50%
50%
herman_munster,
User Rank: Apprentice
4/5/2012 | 6:21:15 PM
re: Keep Your Friends Close, Especially If They Are Anonymous
"Maybe he reduced his sentence a little by-ácooperating"?!-á

He got Federal immunity on all charges in exchange for his cooperation. Instead of seeing the inside of a prison, he and his kids will enter the witness protection program...

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio