Perimeter
3/22/2012
11:28 AM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Keep Your Friends Close, Especially If They Are Anonymous

Sabu's traitorous ways reminds us of the sage advice to keep your friends close and your enemies closer

Hindsight is 20/20. It must be, since it seems no one was surprised by the big reveal that a main player in LulzSec and Anonymous, a fellow code-named "Sabu," had been working with the FBI and ratted on some of his partners in crime -- except maybe those said partners, as they were being led out of their hovels by federal agents.

Sabu acted to save himself, as it seems someone who outwardly cared about no one did care about the two young girls in his care. Maybe he reduced his sentence a little by cooperating, but I think he'll find his hacking skills relatively useless in the big house. Unless he becomes the sysadmin for the jail for $2.50 an hour. What could go wrong with that?

The other folks arrested will also spend some time in the big house, that much is clear. As Baretta says, "If you can't do the time, don't do the crime."

But there are some instructive lessons here. First, in terms of how they caught Sabu, evidently he forgot to run his session through Tor on a few occasions and the FBI tracked his IP address. From there they got the proper warrants to monitor what he was doing and had him dead to rights. Game over. Security folks complain the bad guys have to be right only once to compromise a system. That is true, but the sad tale of Sabu shows that the bad guys also need to be right every time to not get caught. They can never put their guard down. The FBI is watching. Always.

Ultimately, we learn once again that crime doesn't pay -- especially when the crime isn't financially motivated. They are banking on change, so let's ask the question: Has anything changed from the journeys of the Lulz boat? Maybe, but probably not the change the hacktivists intended. It has definitely been a wake-up call for organizations that they can (and probably will) be attacked in a brazen fashion. Maybe they'll even improve their security programs. Sony? Bueller? Bueller?

Will the turning of Sabu act as a deterrent to the cybervigilantes? If you listen to the rhetoric coming via the Anonymous marketing machine, then probably not as they are talking about the next dox drop and defacing on Twitter as you read this. But I'm not so sure. Seems these folks forgot about basic human nature. The self-preservation gene is strong in humans, as is the need to protect offspring. Every person has a breaking point, and law enforcement seems to be pretty effective at finding it. So there are decent odds that they've turned many other folks within these groups.

Remember, many of these folks don't "really" know each other. Do you think they continue to trust with a jail sentence on the line? That's to be determined, but in the good ol' days if you turned on your partners in crime, then they took it out on your family. There doesn't seem to be a similar retribution model among hacktivists. Not yet, anyway. And we'll also hear about hacktivism is an ideal, not a person or a group.

Some of those folks are questioning with whom they are collaborating. Just as you don't know whether someone on the Internet is a dog, you don't know whether Sabu is really an FBI turncoat. And that sows the seeds of mistrust, which is the death knell of any crime syndicate, formally organized or not. There is one security truism that definitely applies in this case, and that's: "Trust No One." I don't think truer words were ever spoken.

Mike Rothman is President of Securosis and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
herman_munster
50%
50%
herman_munster,
User Rank: Apprentice
4/5/2012 | 6:21:15 PM
re: Keep Your Friends Close, Especially If They Are Anonymous
"Maybe he reduced his sentence a little by-ácooperating"?!-á

He got Federal immunity on all charges in exchange for his cooperation. Instead of seeing the inside of a prison, he and his kids will enter the witness protection program...

Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.