With Anonymous and LulzSec, is anyone believable?
For several months, hackers have been having a heyday taking down Web sites and leaking data from compromised servers with victims ranging from the CIA and U.S. Senate to Sony, Citigroup and the Turkish government. (A growing list of attacks is here).
A 19-year-old identified as Ryan Cleary was arrested Tuesday in the U.K. on hacking charges, but it's unclear whether he was involved with either of the two main hacker groups that have been taking responsibility for and organizing some of the attacks--Anonymous and LulzSec.
In the game of disinformation and occasional real information surrounding the recent flurry of hacks, this sort of confusion is par for the course. With the odd jousting between hackers and feds, you can't trust anything until you see the proof, and even then how do you know it's legitimate? Hacker groups are hotbeds of egos seeking bragging rights, in-fighting, revenge attacks, mischief, and outright lies.
"Ryan Cleary is not part of LulzSec; we house one of our many legitimate chatrooms on his IRC server, but that's it," LulzSec tweeted. "Clearly the UK police are so desperate to catch us that they've gone and arrested someone who is, at best, mildly associated with us. Lame."
Meanwhile, the group outed two hackers whom it claims provided information to authorities that led to Cleary's arrest. LulzSec published contact information for two hackers identified as "m_nerva" and "hann" in a public message to the FBI. They also accused "m_nerva" of hacking the game Deus Ex and said he was trying to flee the U.S. "These goons begged us for mercy after they apologized to us all night for leaking some of our affiliates' logs," the statement says. "There is no mercy on The Lulz Boat." Later, a Twitter account associated with LulzSec and Anonymous posted a message that said: "RIP Ryan. Narced by m_nerva aka cimx aka rq42 and hann. Ryan hosted IRC for ED and other chans. Had nothing to do with lulzsec."
"If he was involved with these groups, the question is who does he know? What does he know? And what does he have on his computer?" said Jennifer Granick, an attorney with the law firm of Zwillinger Genetski who specializes in hacking cases. "They've got his computers. That investigation is going to take some time."
The first big arrest in a case can be crucial. Law enforcement usually will try to nab a key operative or someone who can name others and provide evidence. "If [Cleary] is involved, that is a crack in the door and [investigators] may or may not be able to ferret out other people," Granick said.
The attacks have not only exposed consumer data but have been designed to embarrass big companies and government agencies. No doubt, officials are anxious to put a stop to the headlines.
LulzSec has been particularly adept at public relations with its audacious targets and humorous messages on Twitter and other antics. For instance, their latest campaign has been promoted in graffiti at San Francisco's Ocean Beach. They also managed to get hundreds of people to automatically join one of their operations servers Tuesday on Internet Relay Chat by tweeting a shortened URL.
They have their detractors too. A blog called LulzSec Exposed says it is providing information to authorities. And members of an organization called Backtrace Security claim to be researching the hacking groups too.
"I believe that with all the media attention surrounding (the attacks) that law enforcement will make a concerted effort to saturate the media with the message of 'yes, we're doing our jobs. We're on top of this,' to try to take away some of the impact of the LulzSec press," said Jericho, a security professional who asked to be identified by his hacker name. He founded the Attrition.org site more than a decade ago to catalog and share information on hacking activities.
The hackers are a slippery lot, making it difficult to really pin them down. Both Anonymous and LulzSec are de-centralized groups, without formal structures and relying on low-level participants and sympathizers to carry out some of the larger campaigns. LulzSec is believed to be a spin-off of Anonymous, and there is certainly some overlap. The groups joined forces in an "Anti-Sec" (anti-security) campaign earlier this week aimed at government, financial, and other high-profile targets.
The attacks may seem innocent enough, aiming to send a message or prove that a particular site is insecure. So far, they have been mostly distributed denial-of-service (DDoS) attacks designed to temporarily shut down a site, some Web site defacements, and quite a few compromises of servers that exposed data that was then leaked to the Web. The exposed data was primarily customers e-mail addresses and passwords.
These attacks are not financially motivated, but that doesn't mean victims and prosecutors won't come up with large monetary amounts to justify damage claims. For consumers, there is the fear that others could use their leaked data to target them with phishing attacks and other methods of stealing from their bank and credit card accounts. "If someone posts my e-mail address and someone else uses it, are [the original posters] responsible for a subsequent hack," Granick wondered.
"Even though the group isn't financially motivated they're leaking data that has financial value to it," Jericho said.
Under U.S. federal law, first time offenders face up to five years in prison, but sentences depend on damages, and damages can be aggregated over the course of conduct, according to Granick. Cases are based on technical evidence and testimony from accomplices and others.
"Prosecutors don't have to prove you caused the damage beyond a reasonable doubt," she said. "A defendant can be sentenced on related conduct too."
The more data and people affected, the more opportunity for prosecutors to inflate the damages. With the Sony breaches alone, data from more than 100 million accounts were exposed. "They only need to find a few people who suffered harm and they can aggregate that," Granick said.
And who exactly is at risk in hacking campaigns that have few organizers but thousands of sympathizers who allow their computers to be used in DDoS attacks?
Prosecutors would have to show that a defendant was actively involved in an incident and this would include downloading a tool that lets your computer take part in a DDoS attack, according to Granick.
"If you downloaded the tool and made yourself part of the network that DDoSed a site you are going to be held responsible even though you weren't the organizer," she said. "The question will be, to what degree?"