Perimeter
3/22/2012
11:28 AM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Keep Your Friends Close, Especially If They Are Anonymous

Sabu's traitorous ways reminds us of the sage advice to keep your friends close and your enemies closer

Hindsight is 20/20. It must be, since it seems no one was surprised by the big reveal that a main player in LulzSec and Anonymous, a fellow code-named "Sabu," had been working with the FBI and ratted on some of his partners in crime -- except maybe those said partners, as they were being led out of their hovels by federal agents.

Sabu acted to save himself, as it seems someone who outwardly cared about no one did care about the two young girls in his care. Maybe he reduced his sentence a little by cooperating, but I think he'll find his hacking skills relatively useless in the big house. Unless he becomes the sysadmin for the jail for $2.50 an hour. What could go wrong with that?

The other folks arrested will also spend some time in the big house, that much is clear. As Baretta says, "If you can't do the time, don't do the crime."

But there are some instructive lessons here. First, in terms of how they caught Sabu, evidently he forgot to run his session through Tor on a few occasions and the FBI tracked his IP address. From there they got the proper warrants to monitor what he was doing and had him dead to rights. Game over. Security folks complain the bad guys have to be right only once to compromise a system. That is true, but the sad tale of Sabu shows that the bad guys also need to be right every time to not get caught. They can never put their guard down. The FBI is watching. Always.

Ultimately, we learn once again that crime doesn't pay -- especially when the crime isn't financially motivated. They are banking on change, so let's ask the question: Has anything changed from the journeys of the Lulz boat? Maybe, but probably not the change the hacktivists intended. It has definitely been a wake-up call for organizations that they can (and probably will) be attacked in a brazen fashion. Maybe they'll even improve their security programs. Sony? Bueller? Bueller?

Will the turning of Sabu act as a deterrent to the cybervigilantes? If you listen to the rhetoric coming via the Anonymous marketing machine, then probably not as they are talking about the next dox drop and defacing on Twitter as you read this. But I'm not so sure. Seems these folks forgot about basic human nature. The self-preservation gene is strong in humans, as is the need to protect offspring. Every person has a breaking point, and law enforcement seems to be pretty effective at finding it. So there are decent odds that they've turned many other folks within these groups.

Remember, many of these folks don't "really" know each other. Do you think they continue to trust with a jail sentence on the line? That's to be determined, but in the good ol' days if you turned on your partners in crime, then they took it out on your family. There doesn't seem to be a similar retribution model among hacktivists. Not yet, anyway. And we'll also hear about hacktivism is an ideal, not a person or a group.

Some of those folks are questioning with whom they are collaborating. Just as you don't know whether someone on the Internet is a dog, you don't know whether Sabu is really an FBI turncoat. And that sows the seeds of mistrust, which is the death knell of any crime syndicate, formally organized or not. There is one security truism that definitely applies in this case, and that's: "Trust No One." I don't think truer words were ever spoken.

Mike Rothman is President of Securosis and author of The Pragmatic CSO. Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
herman_munster
50%
50%
herman_munster,
User Rank: Apprentice
4/5/2012 | 6:21:15 PM
re: Keep Your Friends Close, Especially If They Are Anonymous
"Maybe he reduced his sentence a little by-ácooperating"?!-á

He got Federal immunity on all charges in exchange for his cooperation. Instead of seeing the inside of a prison, he and his kids will enter the witness protection program...

Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.