what we can learn from lulzsec

What we can learn from LulzSecPHDAYS 2012

About Me

• Jerry Gamblin• Network Security Specialist – Missouri House Of Representatives

• Jerry.gamblin@gmail.com• jerrygamblin.com• @jgamblin (twitter)

About Me

About Me

Why I am giving this talk…

Why I am giving this talk…

Why I am giving this talk…

Overview

• The Players• The Vigilantes• The Tools• The Campaigns• What we learned. • How We Can Stop It.

The Players

Who is who?

Anonymous

LulzsecAnti-Sec

Anonymous

Anonymous

Anonymous

• First active as a hacking group in 2008• Originated on:– 4CHAN– Futaba ( Japanese variant of 4CHAN)– Encyclopædia Dramatica

LOLCATS

Membership

"[Anonymous is] the first Internet-based superconsciousness. Anonymous is a group, in the sense that a flock of birds is a group. How do you know they're a group? Because they're traveling in the same direction. At any given moment, more birds could join, leave, peel off in another direction entirely."

—Chris Landers. Baltimore City Paper, April 2, 2008

Mission Statement

We [Anonymous] just happen to be a group of people on the internet who need — just kind of an outlet to do as we wish, that we wouldn't be able to do in regular society. ...That's more or less the point of it. Do as you wish. ... There's a common phrase: 'we are doing it for the lulz.‘

—Trent Peacock. Search Engine: The face of Anonymous, February 7, 2008.

Not So Anonymous

What A Hacker Looks Like…

What A Hacker Looks Like?

LulzSec

• Anonymous all-star team.• Had 4 to 9 active members.• Highly active and technical. • "Laughing at your security since 2011!"

Sabu

Anarchaos

Topiary

Kayla

TFlow

Viral

Recursion

Anti-Sec

• Anti-Sec was the re-merger of lulzSec and anonymous in late June 2011.

W0rmer & CabinCr3W

The Vigilantes

th3j35t3r

• @th3j35t3r• Anti-Jihad hacker• XerXes DDOS tool• Leads the anti-anonymous crusade on twitter• Went offline May 9th.

BacktraceSecurity

• backtracesecurity.com• @backtracesec• Gave a talk at Defcon19 about exposing anon.– Anonymous and the rise of the Adhocracy

The Tools

IRC

• Mostly on irc.2600.net• Anonymous channels– #Anonymous– #Antisec

• Anti-anonymous channels– #AntiAntiSec– #Prosec

Twitter

• Used mainly for press relations and public support.• Main accounts:– @anonymousirc– @anonymousabu– @youranonnews– @anonops – @anoncmd– @lulzsec

PasteBin.com

• Public and anonymous clipboard.• Developed to easily share source code. • Used by Anonymous to share dox and dumps

of stolen information.

CloudFlare.com

CloudFlare.com

• Distributed cloud IDS/IPS. • Hides your real server IP. • Stops DDOS attacks.• FREE!

Hidemyass.com

• VPN Service• Anonymous internet identity– 18,000 unique IP addresses

Doxing

• Public dump of an individuals personal information.

• Often leads to real life harassment.

Blackout Faxing

Low Orbit Ion Cannon

Low Orbit Ion Cannon

• Network stress testing tool.– (Read DDOS tool)

• Written by Anonymous members.• Hivemind– Allows machines to join a voluntary botnet.

• Open source project hosted on sf.net

SQLMAP

• Open source database penetration testing tool. • Works on the major SQL databases– MySQL– Oracle – PostgreSQL– Microsoft SQL

• “Wizard” mode. • Ability to give you a root shell on Linux machines.• Open source project hosted on sf.net

SQLMAP

No Known 0-Days

The Campaigns

Epilepsy Foundation Forums

Date March 2008

Targets Epilepsy Foundation of AmericaNational Society for Epilepsy

Attack Method Posting flashing images on the forums frequented by epilepsy sufferers in the attempt to cause seizures and migraine headaches.

No Cussing Club

No Cussing Club

Date January 2009

Target McKay Hatch

Attack Method • Posted his and his families address, email and phone number online.

• Harassed him via email and phone calls. • Pizza bombed his house.• Subscribed him to over 100 pornographic magazines.

Operation Titstorm

Date February 2010

Target Australian government for passing anti- pornography law dealing with animated pornography.

Attack Method DDOS:• Australian Parliament Defaced:• Australian Prime MinisterFax Attack: • Australian Government communications department.

Operation Payback

Operation Payback

Date September 2010

Target Aiplex Software for DDOSing sharing sites after they refused to remove copyrighted material.

Attack Method DDOS:• ACS:Law• Australian Federation Against Copyright Theft • ACAPOR• Ministry of Sound• Spanish Copyright SocietySQLI:• UK Intellectual Property OfficeDefaced:• GeneSimmons.com

Operation Avenge Assange

Date December 2010

Target Companies who stopped process donations to Assange or stopped hosting wikileaks content.

Attack Method DDOS:• PostFinance• Swedish Prosecution Authority• EveryDNS• MasterCard• Borgstrom and Bodström• Visa• PayPal• PayPal API• Sarah Palin• Joseph LiebermanAborted DDOS:• Amazon

Operation Sony

Operation Sony

Date February 2011

Target Sony for their lawsuit against George Hotz who hacked the PS3.

Attack Method SQLI:• Sony PlayStation Network• Sony Online Entertainment • Sony BMG America• Sony Music Japan• Sony BMG Greece• Sony Portugal

Operation Tunisia

Operation Tunisia

Date May 2011

Target Tunisian Government Websites

Attack Method DDOS:• President• Prime Minister• Ammar 404• Ministry of Industry• Ministry of Foreign Affairs• Tunisian Stock Exchange

Operation Egypt

Date May 2011

Target Egyptian Government Websites

Attack Method DDOS:• Cabinet Minster• Ministry of the Interior • Ministry of Communications and Technology

HBGary Federal

Date February 2011

Target Aaron Barr for a talk he was going to give on exposing anonymous members at a bsides event in San Francisco.

Attack Method HBGary.com• SQLI hbgary.comAaron Barr• Released SSN• Released personal emails• Took over his twitter account• Remotely Wiped IPAD/IPHONE• Exposed his World of Warcraft character name.

• Obviously the most embarrassing.

Operation Anti-Sec

Date February 2011

Targets Police associations and federal security contractors for the arrest of anonymous and lulzsec members.

Attack Method DDOS:United States Court of Appeals for the Ninth Circuit SQLI: IRC FederalBooz Allen HamiltonVanguard Defense Missouri Sheriffs' AssociationTexas Police Chiefs Association Arizona Department of Public SafetyDOX:Richard Garcia

Operation Orlando

Date June 2011

Targets The city of Orlando for the arrest of “food not bombs” members for handing out food in city parks without a free permit.

Attack Method DDOS:• Orlando Mayor’s websiteSQLI:• Roman Catholic Diocese of Orlando• Rotary Club of Orlando • Orlando Chamber of CommerceThreat of Physical Violence:• Orlando Mayor

Orlando Mayor

Operation Bart

Date August 2011

Target BART for shutting down cell phone repeater services to stop protest of the murder of Oscar Grant.

Attack Method SQLI:• BART Police Officer’s Association• MyBART.org

Operation DarkNet

Operation MegaUpload

Date January 2012

Targets Anyone involved in the criminal case against Megaupload.

Attack Method DDOS:UMG (Universal Music Group)Warner Brothers MusicMPAARIAAUnited States Department of JusticeFBI

Vatican Website Attacks

Operation Russia

Date February 2012

Targets Email accounts of prominent pro-Kremlin activists and officials. Dispensing that information at @OP_Russia on twitter.

Attack Method Email Hack of:Kristina PotupchikPress secretary for Nashi youth movementOleg Khorokhordin Deputy head of the Department for Internal Affairs at the Presidential AdministrationVasily YakemenkoHead of the Federal Agency for Youth Affairs

What we learned.

Not Advanced; But Persistent

Target by Association

Guilty by Association

Sympathetic Industry?

• Brings recognition to their jobs. • Helps increase funding. • Get to LULZ at the victim.

How can we stop it?

Real Security Awareness

Real Security Awareness

Hack Yourself

Hire a Penetration Tester

Help Your Associates

Listen!

Есть вопросы?

Contact Info

• Jerry Gamblin• Network Security Specialist – Missouri House Of Representatives

• @jgamblin (twitter)• Jerry.gamblin@gmail.com• www.jerrygamblin.com

Благодарю вас!

#LulzSecReborn(They are making a comeback)