January 02, 2012
Anonymous imposters: hiding behind the AntiSec identity
Stilgherrian 2 January 2012
Anyone can say they're part of Anonymous.
It's the perfect cover for hackers with motives more sinister than fun and propaganda.
Could that be why private intelligence firm Stratfor was just hacked?
The Operation AntiSec collaborators Anonymous and LulzSec dominated media coverage of online security through 2011, taking credit for hacks of Sony, AT&T, the UK's Serious Organised Crime Agency and News International newspapers - even though the more serious cybercriminals continued working on the money-spinners.
The Stratfor hack looks like all the others. It was announced via Twitter accounts associated with Anonymous. Samples of the pilfered data were posted online as evidence. The hackers taunted the victim about its pathetic defences. And the data vandalism was dressed up as political action.
The victim - Stratfor - is based in Austin, Texas, and provides analysis of global security matters using open-source intelligence (OSINT) techniques - that is, they analyse publicly-available material. Anyone can subscribe to their newsletters, but their main business is providing secret, bespoke analysis to undisclosed corporate and government clients.
Over the Christmas weekend, AntiSec hackers posted data lifted from Stratfor's servers, including what they claimed to be the company's private client list, plus lists of passwords and credit card numbers.
The hackers told Wired that they'd penetrated Stratfor "several weeks ago" and obtained 200 gigabytes of data, including 2.7 million emails and various internal documents - the real target, according to Barrett Brown - more of which they intend to release soon.
There was also a surprise bonus: around 75,000 credit card numbers belonging to Stratfor subscribers. They've already been published.
They also claim to have wiped four of Stratfor's servers as well as the backups, and to have used some of the credit card numbers to donate between $500,000 and $1 million to charity.
A data breach on that scale would be embarrassing for any organisation. It's doubly so for Stratfor. More embarrassing still is the hackers' claim that credit card details were stored in plain text rather than being encrypted - a clear breach of the Payment Card Industry Data Security Standard (PCI DSS).
Stratfor has acknowledged the data breach via their Facebook page but has given few details:
"The [client list] disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications."
Sabu, the hacker who often speaks for AntiSec, explained the rationale for the attack. He tweeted:
"We are #antisec. We hack and expose security experts who are part of an industry hell-bent on scamming governments and users out of billions."
However two documents raise doubts about Anonymous's role in the Stratfor hack. The first was an Emergency Christmas Anonymous Press Release:
"Hackers claiming to be Anonymous have distorted this truth [about Stratfor's role] in order to further their hidden agenda, and some Anons have taken the bait.
Stratfor has been purposefully misrepresented by these so-called Anons and portrayed in false light as a company which engages in activity similar to HBGary. [A reference to the company that claimed to have infiltrated Anonymous and had threatened to attack WikiLeaks]
"Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs."
The hackers rejected the claim the following day:
"Anyone can claim to be Anonymous, but because of the inherent decentralised nature of Anonymous, without central top-down leadership, no individual is in a place to speak to the legitimacy of another individual or group's operation. Furthermore, our history of owning high profile targets as Anonymous has been well documented at the #antisec embassy and is well known and respected within all Anon communities."
Then on December 27, an article written by "A" was posted at Cryptome, a long-established website about freedom of speech, intelligence and surveillance:
"Anonymous fancies itself as some sort of hacktivist organization fighting for the greater good of all mankind. In reality it is nothing more than a name that different groups can hide behind in order to leak/drop information and attach itself to the Anonymous 'brand' or rather, its PR infrastructure.
"[Hacker] groups realised that by using the Anonymous name they could effectively use other Anonymous members as a 'human' shield and have some plausible deniability... Using Anonymous, anyone can hack/leak and delete corporate or government secrets and make it look like it was the 'hacktivists' that did it."
These high-profile hacks attract unsuspecting enthusiasts who then take part in denial of service attacks - and it's these scapegoats who end up getting arrested, leaving the real, more skilled culprits to continue operating in the shadows. Or so the theory goes.
The article speculates that while Stratfor may have been targeted in part because it was easy to attack - something the hackers themselves seem to have confirmed - it also asks why they didn't target one of the more politically relevant intelligence firms, like GK Sierra, Aegis, GPW or Hakluyt.
For my part, I wonder why the servers and the backups were erased.
"This then leaves the imagination to wander," the article said, "Was the Stratfor hack the work of a competitor? Foreign Intelligence Service?"
No evidence was offered, however, and the praise of Stratfor's work and the worthiness of its clients were expressed in similar terms to the emergency press release. I wouldn't be surprised if both documents represented a bit of Stratfor astroturfing. After all, being hacked by foreign spooks or serious cybercriminals sounds better than being hacked by a global rabble.
Still, there are persistent murmurings in the information security community that Anonymous isn't all that it seems. And recently I spoke with someone who had worked for a national intelligence agency until not that long ago. Being able to call yourself Anonymous was "handy", they said.
Stilgherrian is an opinionated and irreverent writer, broadcaster and consultant based in Sydney, Australia.
Read more: http://www.abc.net.au/unleashed/3749898.html