LulzSec, Jester, and Counter-Intelligence on the Internet

Monday, June 20, 2011

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

Escalation:

I once wrote a blog post about ‘escalation’ and it seems that my fears are coming true as the Lulz Boat keeps making waves across the Internet. Between LulzSec, Jester, Anonymous, and now God knows who else, we are seeing a re-birth of the 90′s anarchy hacking.

However, since so much has changed network wise since the 90′s its been amplified a thousand fold. What has spun out of all the hacking (hacktivism, vigilantism, whatever you want to call it) is that we are seeing just how a counter-intelligence operation is carried out.

Th3j35t3r and his friends at Web-Ninjas’s are carrying out this counter-intelligence program and posting their findings on LulzSecExposed as well as on th3j35t3rs own site on word-press.

image

To date, their efforts have not seemed to have either slowed LulzSec’s antics, nor generated any federal arrests of anyone involved. However, I think it important to note the methods being used here to attempt to put faces to names in the lulz crew.

The LulzSec Problem:

The problem with trying to track LulzSec members is primarily the technologies that they are using prevent getting a real idea of where and who they are. By using VPN technologies, proxies, and compromised systems in the wild, they have been able to keep their true identities from being exposed in a more meaningful way other than screen names. Due to the problems of digital attribution, the governments of the world cannot quite get their hands around who these people are nor, would they be able to prove such in a court of law at the present time without solid digital forensics on the end users machines.

In the case of LulzSec and Anonymous, they are not using just one system but many types of systems to protect their anonymity. Thus, with the right tools and obfuscation, they feel impervious to attack from anyone, be they government, law enforcement, or the likes of Th3j35t3r. Tactically, they have the advantage in many ways and it would take one of two types of attacks, if not both simultaneously, to take the LulzSec and Anonymous core group down.

The attacks I mention are these:

1) A direct attack on their IRC servers that host the secret C&C channels

2) Insertion of ‘agent provocateurs’ into the C&C of LulzSec and Anonymous (as recently alluded to with the FBI stat that one in 4 hackers are CI’s recently)

I actually would suggest that both avenues of attack would have the best effect along with a healthy program of disinformation and PSYOPS to keep the adversary unbalanced and malleable. Which leads me to my next section.. The methods of attack.

Counter-Intelligence:

An overall category, Counter-Intelligence ranges all of the afore-mentioned types of attacks. In the case of LulzSec, anyone could be a member within the community that encompasses info-sec or anonymous. Hell, Jester could actually know some of these people in real life just as well as you the reader might and never know it if the member never talks about it. I imagine it’s kind of like Fight Club:

The first rule of Fight Club is, you do not talk about Fight Club. #2 – The second rule of Fight Club is, you DO NOT talk about Fight Club. 

If anyone talks, they could end up in some serious frak and in this case, disappeared pretty quickly if the governments in question get their hands on them. This is especially true now that they have hit the FBI and CIA with their attacks and derision… But I digress. The key here is that because no one knows who is who or is talking about it, it is very analogous to the idea of a mole hunt or counter intelligence operations that seek to locate spies within the community (such as within the CIA) There are whole divisions in the CIA and FBI as well as other places that are solely devoted to this type of war of attrition.

I believe that it is a counter-intelligence operation that will win the day though in the battle against LulzSec or any other like minded adversary. Winning that battle will take the following types of sub operations as well.

PSYOPS & Disinformation:

PSYOPS and Disinformation work together to unbalance the adversary as well as spin the masses toward compliance or action. In the case of LulzSec, this type of activity is already ongoing with their own ‘Manifesto‘ and other publicity that they have put out. They want to spin opinion and generate adoration as well as fear, both of these are in evidence within the media cycle and the public’s perception of who and what they are. Where I am seeing both types of activity on LulzSec’s part, I can also see within the actions of jester and the Web Ninja’s as well.

On the part of LulzSec, the following psychological operations and disinformation campaigns can be seen:

  • For each alleged ‘outing’ of a member, they make claims that these are not core members of their group (note, they do not make claim to the anonymous model of headless operations) such outed persons who can be connected to them are merely underlings in open IRC channels
  • Affecting accents and 4chan speak to attempt to hide their real patterns of writing and mannerisms
  • A claim to having battles with 4chan and /b/ as well as Anonymous while they seem much more aligned to them (distancing)
  • The use of agent provocateurs against Jester within his own coterie of followers and open IRC channel
  • The use of flash mobs (abuse) within Jester’s open IRC channel
  • Leveraging the fact that they are anonymous (in concept) and due to the technology today, virtually untouchable

On the part of Jester we have the following operational tactics used so far:

  • The outing of individuals believed to be core members of the group (no matter if correct, will prompt a reaction from LulzSec that may be telling)
  • The use of agent provocateurs to place disinformation as well as gather intel on the adversary (LulzSec) which can be seen in leaked IRC chat transcripts
  • The creation of analogous groups such as the Web Ninja’s to work against LulzSec
  • Leveraging the fact that he is just as anonymous (in concept) as they are and due to the technology today, virtually untouchable

It seems from both sides of the battle, that these types of actions are being used to mislead and gain the edge over the other. In the case of Jester, I am pretty sure that this is an overt thing. While, on the other hand, with LulzSec, I see it as a reactionary set of measures to attempt to keep themselves from being exposed as to who and where they are. As this continues, I am willing to hazard that even more players are playing a part in this war, quietly, and those would be the government operatives looking for an in to take the Lulz down. Of course, the government has been pretty quiet about Lulzsec haven’t they? One wonders just what they are up to.. If anything at all.

Of course, the NSA may just be the dark horse here… And the Lulz won’t know what hit them. Then it will be over.

Development of Sources:

One of the more tradecraft oriented things that must be going on is the use of sources or getting assets into positions to be inside the Lulz Boat. I am sure that there are players out there sidling up to the right users on the IRC boards in an attempt to get into the inner circle of LulzSec as well as Anonymous. These assets are likely to be working for the government but I can also see someone like Jester using the same tactic, if not posing himself as the asset. Due to the nature of the problems of tracking these people, this is the best way to get close to the Lulz and to gather raw intelligence on them. After all, even if not fully trusted, an asset can gather important data on the actions of the Lulz and be there when they make a crucial mistake.

The other side of that coin may be people who have been outed and were in fact affiliated with the Lulz. This is where the FBI has a forte in turning hackers into informants by allowing them to work for them instead of just being put in a hole somewhere. It has happened in the past (carders for example) and likely is the case in the Lulz case. After all, some have been ‘vanned’ already in Anonymous circles and I have yet to hear about any real solid court cases being filed.. So.. One tends to think that there is a bit of cooperation going on with those who have been popped already for being suspected ‘anons’

In the case of the Lulz, we have yet to see or hear of anyone being taken into custody for being affiliated with the Lulz... But, the day is young especially of late.

Habits Will Be Their Downfall:

Overall, I would say from what I have seen in IRC and in other data located out there on key user names, that human nature and habits will be the downfall of the Lulz. People have habits and these can be leveraged to attack them. No one is perfect and none of these people to my knowledge have been trained to avoid the pitfalls of habit that a trained operative would. Insofar as the Jester seems to have hit the mark in a few cases is telling that people are leaking data. Either the Lulz themselves have been careless (as they harp on password re-use, I harp on user name re-use) or they have indeed  been infiltrated by assets of the enemy, or, have decided to go down another less dangerous path in hopes of not being prosecuted.

Habitual behaviour too is not only action, but mannerisms, thought processes, and enunciation of motives. Just as coders tend to code in specific ways that can be used as ‘digital DNA’ so too can writing patterns, speech, etc even when attempted to be clothed in 4chan speak. As well, the habits of human nature to be trusting will too be their downfall. After all, unless this is a one person operation, there are many links in the chain that could and will be exploited. As people seem to be dropping off of the Lulz Boat (per Jester’s data) they will need new blood to keep the Lulz going, and that means that they will have to recruit, vet, and eventually trust someone…

And that is where the counter-intelligence operation will seal the deal… The phrase “Trust No One” just cannot be a reality in any operation. This is why they sometimes fail, because you trust the wrong person.

Over Reliance On Technology:

In the meantime, the Lulz seem to be relying quite a bit on technologies that are rapidly becoming susceptible to attacks by those who want to capture or stop them. The use of Anonymous proxies like Tor, while effective now, are also compromise-able from a few different perspectives. The technology may be solid, but the pressures legally on those who run them may in fact lead to compromise. Just as any of these avenues of anonymization that are out there could in fact be just honey-pots to capture data. A case in point would be Tor, which was a Navy project to begin with and anyone who has set up an exit node, can in fact sniff the traffic for data that may be helpful in getting a lock on a user.

Additionally, any other means of technology like cloud services that are hosting their data or facilitating anything the Lulz do, could potentially be compromised if the right people are involved *cough NSA cough* that have the latitude to do what they like. Given today’s surprising numbers of laws being passed that erode all of our rights to privacy, I should think that the days are numbered for the Lulz on the technical playground as the boys at Ft. Meade start getting their orders to lock and load.

Never trust so much in technologies that YOU do not run solely yourself.. Remember the government can make any company that MITM attacker and YOU the attacked.

The End:

In the end, I think that the Lulz have pointed out that ‘Elephant with its trunk in out collective coffee” but at what price? Will this change the paradigm and make the government care about security in a more cogent way? No. Instead they will come up with tougher laws and more ways to invade privacy by shortcutting the process. Sure, frak is out there and it is vulnerable, but you know what? It always will be. If it isn’t some very low hanging fruit like SQLi then it will be 0day. There will always be a way in. That is just the nature of things and the Lulz will have shifted paradigm... Because truly, the Lulz will be on LulzSec, emotionally charged and sorry for their actions... While sitting in jail.

K.

*EDIT* Oh and one more thing to add here as an afterthought. I may remind you all that as the laws are changing and the Patriot Act has been re-signed. The Lulz, having upped the ante, can easily be considered ‘Domestic Terrorists” This would place them in even a more precarious place because then, the legal gloves come off….

One man’s Domestic Terrorist is another man’s “Enemy Combatant”

Cross-posted from Krypt3ia

Possibly Related Articles:
38321
Network->General
Information Security
Jester th3j35t3r Anonymous Hacktivist NSA Lulzsec Counter-Intelligence
Post Rating I Like this!
Default-avatar
Peter Noone You make a number of valid points here, or perhaps I should say, you propose very valid points and then rant them a little further than they can go without losing their intended impact. Specifically, your points about operational security: you rightly underline its importance, but you make far too much out of your assumption that AnonOps and Lulzsec failed to adhere to these rules or lost focus on them. I'm not sure there are enough facts to justify that assumption, and I get the distinct sense that you're not speaking from first-hand experience hanging out in their chans. Some basic facts that everyone knows about the way anonymous functions: 1.) there are serious people, seriously capable people, and the usual randoms that mill about but can't offer any skillsets; this is the same distribution you find in any group. Anonymous seems to have stable affinity groups between specific individuals, more like little cliques, and these have falling outs left and right on a daily basis. Anonymous doesn't seem to expect anyone to maintain some James Bond level of secrecy, or to the extent that you assume is necessary, in part because there is a segment of the participants that believe that a degree of non-anonymity is deliberately present to give credibility to their assertion that they are engaged in civil disobedience. Can't call it a protest action unless you are demonstrating your right to freedom of association, freedom of speech, etc., so there's an ambivalent semi-public level of anonymous conduct that should be called "confidential" instead of "anonymous". 2.) EVERYONE in those ircds knows and regularly discusses and jokes about the lurkers in each channel, and the gigs of log files that must be compiled on an hourly basis. Much of anonops is considered "public", deliberately. Many of the people in there are cyber security professionals, cyber criminals, etc. They know that the FBI is everywhere, because they occasionally work FOR them. Neither of these points is a dirty secret, and everyone knows that the real world has a greater population of mercenaries than people with a clear-cut "side". 3.) The statistic you mention was a quote by a 2600 staffer that "1/4 of all hackers are informants" -- that's a bullfrak statistic because A.) there is no census data on the number of hackers, so know one knows what percentage of them constitute anything whatsoever B.) 25% of hackers are informants, so, what's the point of having secret informants when even a ballpark percentage is known by anyone in civvie land? The source pulled that out of his ass, and didn't offer any basis for that claim; it was repeated without question by the reporter because it makes law enforcement sound epic. No, there is no coordinated cointelpro-style op going down, with moles collecting tons of info to bust people later on; its not necessary in order to get evidence of dissent and intent to protest. These guys use i2p, SSL/TLS, anonymous VPN in countries like Sweden, encryption. You think they were born yesterday? Hang out on the telecomix site for an hour, most of these guys wrote those tutorials. Whose to say who or how many constituted Lulzsec? We still have no facts, just the same old rumors from "dox" that no one can ever verify. Finally, can you be any more blatantly biased against Anonymous and Lulzsec while pretending to be neutral? I see you have posts on the Joker, and I'm curious to see how cold you are in your criticism of his retardation compared to Lulzsec.
1309240279
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.