What we can learn from LulzSec                    PHDAYS 2012
About Me• Jerry Gamblin• Network Security Specialist  – Missouri House Of Representatives• Jerry.gamblin@gmail.com• jerryg...
About Me
About Me
Why I am giving this talk…
Why I am giving this talk…
Why I am giving this talk…
Overview•   The Players•   The Vigilantes•   The Tools•   The Campaigns•   What we learned.•   How We Can Stop It.
The Players
Who is who?                 Anonymous      Anti-Sec               Lulzsec
Anonymous
Anonymous
Anonymous• First active as a hacking group in 2008• Originated on:  – 4CHAN  – Futaba ( Japanese variant of 4CHAN)  – Ency...
LOLCATS
Membership"[Anonymous is] the first Internet-basedsuperconsciousness. Anonymous is a group, inthe sense that a flock of bi...
Mission StatementWe [Anonymous] just happen to be a group ofpeople on the internet who need — just kind ofan outlet to do ...
Not So Anonymous
What A Hacker Looks Like…
What A Hacker Looks Like?
LulzSec•   Anonymous all-star team.•   Had 4 to 9 active members.•   Highly active and technical.•   "Laughing at your sec...
Sabu
Anarchaos
Topiary
Kayla
TFlow
Viral
Recursion
Anti-Sec• Anti-Sec was the re-merger of lulzSec and  anonymous in late June 2011.
W0rmer & CabinCr3W
The Vigilantes
th3j35t3r•   @th3j35t3r•   Anti-Jihad hacker•   XerXes DDOS tool•   Leads the anti-anonymous crusade on twitter•   Went of...
BacktraceSecurity• backtracesecurity.com• @backtracesec• Gave a talk at Defcon19 about exposing anon.  – Anonymous and the...
The Tools
IRC• Mostly on irc.2600.net• Anonymous channels  – #Anonymous  – #Antisec• Anti-anonymous channels  – #AntiAntiSec  – #Pro...
Twitter• Used mainly for press relations and public support.• Main accounts:   – @anonymousirc   – @anonymousabu   – @your...
PasteBin.com• Public and anonymous clipboard.• Developed to easily share source code.• Used by Anonymous to share dox and ...
CloudFlare.com
CloudFlare.com•   Distributed cloud IDS/IPS.•   Hides your real server IP.•   Stops DDOS attacks.•   FREE!
Hidemyass.com• VPN Service• Anonymous internet identity  – 18,000 unique IP addresses
Doxing• Public dump of an individuals personal  information.• Often leads to real life harassment.
Blackout Faxing
Low Orbit Ion Cannon
Low Orbit Ion Cannon• Network stress testing tool.  – (Read DDOS tool)• Written by Anonymous members.• Hivemind  – Allows ...
SQLMAP• Open source database penetration testing tool.• Works on the major SQL databases   – MySQL   – Oracle   – PostgreS...
SQLMAP
No Known 0-Days
The Campaigns
Epilepsy Foundation ForumsDate            March 2008Targets         Epilepsy Foundation of America                National...
No Cussing Club
No Cussing ClubDate            January 2009Target          McKay HatchAttack Method   • Posted his and his families addres...
Operation TitstormDate            February 2010Target          Australian government for passing anti- pornography law    ...
Operation Payback
Operation PaybackDate            September 2010Target          Aiplex Software for DDOSing sharing sites after they refuse...
Operation Avenge AssangeDate            December 2010Target          Companies who stopped process donations to Assange or...
Operation Sony
Operation SonyDate            February 2011Target          Sony for their lawsuit against George Hotz who hacked the      ...
Operation Tunisia
Operation TunisiaDate            May 2011Target          Tunisian Government WebsitesAttack Method   DDOS:                ...
Operation EgyptDate            May 2011Target          Egyptian Government WebsitesAttack Method   DDOS:                  ...
HBGary FederalDate            February 2011Target          Aaron Barr for a talk he was going to give on exposing         ...
Operation Anti-SecDate            February 2011Targets         Police associations and federal security contractors for th...
Operation OrlandoDate            June 2011Targets         The city of Orlando for the arrest of “food not bombs”          ...
Orlando Mayor
Operation BartDate            August 2011Target          BART for shutting down cell phone repeater services to stop      ...
Operation DarkNet
Operation MegaUploadDate            January 2012Targets         Anyone involved in the criminal case against Megaupload.At...
Vatican Website Attacks
Operation RussiaDate            February 2012Targets         Email accounts of prominent pro-Kremlin activists and        ...
What we learned.
Not Advanced; But Persistent
Target by Association
Guilty by Association
Sympathetic Industry?• Brings recognition to their jobs.• Helps increase funding.• Get to LULZ at the victim.
How can we stop it?
Real Security Awareness
Real Security Awareness
Hack Yourself
Hire a Penetration Tester
Help Your Associates
Listen!
Есть вопросы?
Contact Info• Jerry Gamblin• Network Security Specialist  – Missouri House Of Representatives• @jgamblin (twitter)• Jerry....
Благодарю вас!
#LulzSecReborn(They are making a comeback)
What we can learn from LulzSec
Upcoming SlideShare
Loading in …5
×

What we can learn from LulzSec

2,337 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,337
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • “Not an expert”Blew up in my back yard.Had to be able to talk about this to intelligently to the legislature.
  • Who is who?They are all basically the same people.
  • Guy Fawkes mask on Amazon.
  • Guy Fawkes mask on Amazon.
  • 4 Chan is an image board/ discussion board.Lots of popular internet memes start there. Lolcats being the most famous.
  • Over 50 arrest and search warrants issued fro anonymous members in the united states.
  • Arrested because of DDOS on paypal during operation assange.Anon DDOSed TPM to keep these mug shots off line on 9/9/11
  • Left: Mercedes Renee Haefer, 20, is a Sony cashier and a student at UNLV.Hilarious interview to gawker after FBI search warrant. http://gawker.com/5757995/an-interview-with-a-target-of-the-fbis-anonymous-probe Right: Tracy Ann Valenzuela, 42Arrested because of DDOS on paypal.
  • Leader.Hector Xavier MonsegurTurned CI Last Summer Involved in Operation Wall Street. Highly active on twitter @anonymouSabuCaught by logging into IRC 1 Time form his public IP.
  • Jeremy HammondChicagoStratfor HackArizona Department of Public Safetyhttp://www.informationweek.com/news/security/attacks/240000391
  • Jake Davis 18 years OldShetland IslandsArrested 7/31/11
  • Ryan Ackroyd16 year old girl.Really a 24-year-old and a 20-year-old man.One arrested in YorkshireOne arrested in WiltshireArrested 9/22
  • SolmonSalehRan Website.22 year old male.Waiting for mugshotArrested 7/19/11http://www.channel4.com/news/a-love-of-guns-chemistry-and-assange-lulzsec-unmasked
  • Ryan Cleary19 Year oldWickford, EssexHosted IRC servers for Lulzsec and DDOSArrested 6/22
  • Cody Kretsinger23 years oldUniversity of Advancing TechnologoySony Hack9/23Cisco Security both at defcon
  • After arrest had been made. Back into the flock / end of lulzsec.
  • W0rmer - Member of Anti-SecBusted when he for got to remove Exif data. http://takedownnews.com/very-revealing-boobs/
  • Highly technical.Ex-military. More than one person? State Sponsored (?) Spoke at HackersHalted earlier this month.
  • Used IRC to infiltrate group. Gave a great talk at Defcon 19.
  • Yes this is still aroundMost active place for anonymous to organize.
  • Most public form of communication.
  • Missouri Sheriffs association SSN leak had 10K views before removed. Views = ad impressions = money.
  • Basically a could based IDS/IPS
  • 10,000 or 25% new request 3 months after lulzsecannouced use of service.
  • Anonymous hates them now.Collected connection info / not activity.Recursion arrested via this.
  • IneffectiveMost people have efaxes now.
  • McKay Hatch
  • 70 million records from the PSN hack. Anon doesn’t take credit for it. 25 million records from SOE.5 million from other hacks.
  • 70 million records from the PSN hack. Anon doesn’t take credit for it. 25 million records from SOE.5 million from other hacks.
  • DDOS stopped when ammar 404 blocked access to these servers from outside the country.
  • Most Serious Threat.
  • In October 2011, the collective campaigned against child pornography protected by TOR to host child porn sites.They published the names of over 1500 people frequenting those websites,and invited the FBI and Interpol to follow up.
  • Vatican website was brought down temporarily by a DDoS attack from Anonymous on March 7
  • Never hacked “bart.gov”
  • When you cant get your admins to follow your advice you are not doing it right.
  • You have access to the same tools these guys use. You should really consider using them.
  • There are a bunch of good pen testers around locally.
  • Know who your associates are.Talk security with them.
  • Being an active listener is key to staying on top of groups like this.Often they announce targets before hack.
  • Any Questions
  • Thank You!
  • A group using the name Lulzsec stole 139,000 accounts from militarysingles.com in march. http://threatpost.com/en_us/blogs/anatomy-lulzsec-attack-singles-out-web-20-weakness-052312http://pastebin.com/JRY3cA5T
  • What we can learn from LulzSec

    1. 1. What we can learn from LulzSec PHDAYS 2012
    2. 2. About Me• Jerry Gamblin• Network Security Specialist – Missouri House Of Representatives• Jerry.gamblin@gmail.com• jerrygamblin.com• @jgamblin (twitter)
    3. 3. About Me
    4. 4. About Me
    5. 5. Why I am giving this talk…
    6. 6. Why I am giving this talk…
    7. 7. Why I am giving this talk…
    8. 8. Overview• The Players• The Vigilantes• The Tools• The Campaigns• What we learned.• How We Can Stop It.
    9. 9. The Players
    10. 10. Who is who? Anonymous Anti-Sec Lulzsec
    11. 11. Anonymous
    12. 12. Anonymous
    13. 13. Anonymous• First active as a hacking group in 2008• Originated on: – 4CHAN – Futaba ( Japanese variant of 4CHAN) – Encyclopædia Dramatica
    14. 14. LOLCATS
    15. 15. Membership"[Anonymous is] the first Internet-basedsuperconsciousness. Anonymous is a group, inthe sense that a flock of birds is a group. How doyou know theyre a group? Because theyretraveling in the same direction. At any givenmoment, more birds could join, leave, peel off inanother direction entirely."—Chris Landers. Baltimore City Paper, April 2, 2008
    16. 16. Mission StatementWe [Anonymous] just happen to be a group ofpeople on the internet who need — just kind ofan outlet to do as we wish, that we wouldnt beable to do in regular society. ...Thats more orless the point of it. Do as you wish. ... Theres acommon phrase: we are doing it for the lulz.‘—Trent Peacock. Search Engine: The face of Anonymous, February 7, 2008.
    17. 17. Not So Anonymous
    18. 18. What A Hacker Looks Like…
    19. 19. What A Hacker Looks Like?
    20. 20. LulzSec• Anonymous all-star team.• Had 4 to 9 active members.• Highly active and technical.• "Laughing at your security since 2011!"
    21. 21. Sabu
    22. 22. Anarchaos
    23. 23. Topiary
    24. 24. Kayla
    25. 25. TFlow
    26. 26. Viral
    27. 27. Recursion
    28. 28. Anti-Sec• Anti-Sec was the re-merger of lulzSec and anonymous in late June 2011.
    29. 29. W0rmer & CabinCr3W
    30. 30. The Vigilantes
    31. 31. th3j35t3r• @th3j35t3r• Anti-Jihad hacker• XerXes DDOS tool• Leads the anti-anonymous crusade on twitter• Went offline May 9th.
    32. 32. BacktraceSecurity• backtracesecurity.com• @backtracesec• Gave a talk at Defcon19 about exposing anon. – Anonymous and the rise of the Adhocracy
    33. 33. The Tools
    34. 34. IRC• Mostly on irc.2600.net• Anonymous channels – #Anonymous – #Antisec• Anti-anonymous channels – #AntiAntiSec – #Prosec
    35. 35. Twitter• Used mainly for press relations and public support.• Main accounts: – @anonymousirc – @anonymousabu – @youranonnews – @anonops – @anoncmd – @lulzsec
    36. 36. PasteBin.com• Public and anonymous clipboard.• Developed to easily share source code.• Used by Anonymous to share dox and dumps of stolen information.
    37. 37. CloudFlare.com
    38. 38. CloudFlare.com• Distributed cloud IDS/IPS.• Hides your real server IP.• Stops DDOS attacks.• FREE!
    39. 39. Hidemyass.com• VPN Service• Anonymous internet identity – 18,000 unique IP addresses
    40. 40. Doxing• Public dump of an individuals personal information.• Often leads to real life harassment.
    41. 41. Blackout Faxing
    42. 42. Low Orbit Ion Cannon
    43. 43. Low Orbit Ion Cannon• Network stress testing tool. – (Read DDOS tool)• Written by Anonymous members.• Hivemind – Allows machines to join a voluntary botnet.• Open source project hosted on sf.net
    44. 44. SQLMAP• Open source database penetration testing tool.• Works on the major SQL databases – MySQL – Oracle – PostgreSQL – Microsoft SQL• “Wizard” mode.• Ability to give you a root shell on Linux machines.• Open source project hosted on sf.net
    45. 45. SQLMAP
    46. 46. No Known 0-Days
    47. 47. The Campaigns
    48. 48. Epilepsy Foundation ForumsDate March 2008Targets Epilepsy Foundation of America National Society for EpilepsyAttack Method Posting flashing images on the forums frequented by epilepsy sufferers in the attempt to cause seizures and migraine headaches.
    49. 49. No Cussing Club
    50. 50. No Cussing ClubDate January 2009Target McKay HatchAttack Method • Posted his and his families address, email and phone number online. • Harassed him via email and phone calls. • Pizza bombed his house. • Subscribed him to over 100 pornographic magazines.
    51. 51. Operation TitstormDate February 2010Target Australian government for passing anti- pornography law dealing with animated pornography.Attack Method DDOS: • Australian Parliament Defaced: • Australian Prime Minister Fax Attack: • Australian Government communications department.
    52. 52. Operation Payback
    53. 53. Operation PaybackDate September 2010Target Aiplex Software for DDOSing sharing sites after they refused to remove copyrighted material.Attack Method DDOS: • ACS:Law • Australian Federation Against Copyright Theft • ACAPOR • Ministry of Sound • Spanish Copyright Society SQLI: • UK Intellectual Property Office Defaced: • GeneSimmons.com
    54. 54. Operation Avenge AssangeDate December 2010Target Companies who stopped process donations to Assange or stopped hosting wikileaks content.Attack Method DDOS: • PostFinance • Swedish Prosecution Authority • EveryDNS • MasterCard • Borgstrom and Bodström • Visa • PayPal • PayPal API • Sarah Palin • Joseph Lieberman Aborted DDOS: • Amazon
    55. 55. Operation Sony
    56. 56. Operation SonyDate February 2011Target Sony for their lawsuit against George Hotz who hacked the PS3.Attack Method SQLI: • Sony PlayStation Network • Sony Online Entertainment • Sony BMG America • Sony Music Japan • Sony BMG Greece • Sony Portugal
    57. 57. Operation Tunisia
    58. 58. Operation TunisiaDate May 2011Target Tunisian Government WebsitesAttack Method DDOS: • President • Prime Minister • Ammar 404 • Ministry of Industry • Ministry of Foreign Affairs • Tunisian Stock Exchange
    59. 59. Operation EgyptDate May 2011Target Egyptian Government WebsitesAttack Method DDOS: • Cabinet Minster • Ministry of the Interior • Ministry of Communications and Technology
    60. 60. HBGary FederalDate February 2011Target Aaron Barr for a talk he was going to give on exposing anonymous members at a bsides event in San Francisco.Attack Method HBGary.com • SQLI hbgary.com Aaron Barr • Released SSN • Released personal emails • Took over his twitter account • Remotely Wiped IPAD/IPHONE • Exposed his World of Warcraft character name. • Obviously the most embarrassing.
    61. 61. Operation Anti-SecDate February 2011Targets Police associations and federal security contractors for the arrest of anonymous and lulzsec members.Attack Method DDOS: United States Court of Appeals for the Ninth Circuit SQLI: IRC Federal Booz Allen Hamilton Vanguard Defense Missouri Sheriffs Association Texas Police Chiefs Association Arizona Department of Public Safety DOX: Richard Garcia
    62. 62. Operation OrlandoDate June 2011Targets The city of Orlando for the arrest of “food not bombs” members for handing out food in city parks without a free permit.Attack Method DDOS: • Orlando Mayor’s website SQLI: • Roman Catholic Diocese of Orlando • Rotary Club of Orlando • Orlando Chamber of Commerce Threat of Physical Violence: • Orlando Mayor
    63. 63. Orlando Mayor
    64. 64. Operation BartDate August 2011Target BART for shutting down cell phone repeater services to stop protest of the murder of Oscar Grant.Attack Method SQLI: • BART Police Officer’s Association • MyBART.org
    65. 65. Operation DarkNet
    66. 66. Operation MegaUploadDate January 2012Targets Anyone involved in the criminal case against Megaupload.Attack Method DDOS: UMG (Universal Music Group) Warner Brothers Music MPAA RIAA United States Department of Justice FBI
    67. 67. Vatican Website Attacks
    68. 68. Operation RussiaDate February 2012Targets Email accounts of prominent pro-Kremlin activists and officials. Dispensing that information at @OP_Russia on twitter.Attack Method Email Hack of: Kristina Potupchik Press secretary for Nashi youth movement Oleg Khorokhordin Deputy head of the Department for Internal Affairs at the Presidential Administration Vasily Yakemenko Head of the Federal Agency for Youth Affairs
    69. 69. What we learned.
    70. 70. Not Advanced; But Persistent
    71. 71. Target by Association
    72. 72. Guilty by Association
    73. 73. Sympathetic Industry?• Brings recognition to their jobs.• Helps increase funding.• Get to LULZ at the victim.
    74. 74. How can we stop it?
    75. 75. Real Security Awareness
    76. 76. Real Security Awareness
    77. 77. Hack Yourself
    78. 78. Hire a Penetration Tester
    79. 79. Help Your Associates
    80. 80. Listen!
    81. 81. Есть вопросы?
    82. 82. Contact Info• Jerry Gamblin• Network Security Specialist – Missouri House Of Representatives• @jgamblin (twitter)• Jerry.gamblin@gmail.com• www.jerrygamblin.com
    83. 83. Благодарю вас!
    84. 84. #LulzSecReborn(They are making a comeback)

    ×