Suspected hackers arrested over Anonymous/LulzSec internet attacks

LulzSec / AnonymousTwo men, aged 20 and 24, have been arrested by British police in connection with a series of internet attacks orchestrated by the Anonymous and LulzSec gangs.

Scotland Yard says that the men, who were arrested in Mexborough, Doncaster, and Warminster in Wiltshire, remain in custody for questioning, and are being held at police stations in South Yorkshire and London.

As part of the investigation computer equipment has been seized which will undergo forensic examination by police experts. There is speculation online that the arrests are connected specifically with the criminal activities of a hacker who used the online handle ‘Kayla’.

Kayla, alongside the likes of Sabu, Topiary and Tflow, is considered to be one of the key figures in the LulzSec hacking gang.

However, Kayla – who has claimed involvement in the hack against security firm HBGary – has presented herself online to be a giggly 16-year-old girl. Although Kayla has given interviews to the press in the past, “she” has always declined to use Skype to confirm an adolescent female voice.

Many eyes will no doubt be on Kayla’s Twitter account to see if any messages are posted following these most recent arrests.

Kayla's Twitter account

At the time of writing, the most recent tweet from Kayla is dated 1:34 PM UK time, 1 September.

The two arrests follow a series of hacks and denial-of-service attacks against UK and US businesses, law enforcement agencies and government bodies.

Detective Inspector Mark Raymond from the Police Central e-Crime Unit (PCeU) said: “We are working to detect and bring before the courts those responsible for these offences, to disrupt such groups, and to deter others thinking of participating in this type of criminal activity.”

Charges brought against other suspects
Earlier today the media reported that 20-year-old Christopher Jan Weatherhead, from Northampton, and Ashley Rhodes, 26, from London, have been charged by police with computer crime offences.

They have been remanded on bail until 7 September. A 17-year-old from Chester and 22-year-old student Peter David Gibson, of Hartlepool, County Durham, are also due to appear at City of Westminster Magistrates’ Court on the same day.

Earlier this month the Met Police issued a stark warning to anyone considering supporting internet attacks against companies and governments.

Certainly the police appear to be mopping up a lot of suspected hackers in connection with the Anonymous and LulzSec hacks. If nothing else, that should be something for other budding hacktivists to stew over and perhaps reconsider if it’s a risk that they really want to take.


Steganography

Picture this news story: “42 suspects in three countries were arrested today in connection with the attempted theft of intellectual property from XYZ Corp.  XYZ Corp. worked with law enforcement in each country in order to identify and apprehend the would-be thieves. The Attackers were caught due to flaws in the implementation of their attack, which relied on steganography for a key portion of the attempted theft.”

Here We have a fictitious story - but it may not remain such a fictitious concept for long. In Reality, malware authors and malware groups are always looking for sneaky methods, techniques, and technologies and steganography fits the bill frighteningly well. A double bonus for malware authors is that this technology is old (academia has been examining the technique for a long time – therefore, lots of the hard work has already been done) and it is only just beginning to make its debut in the digital underground (Vinself, Shady RAT). Malware groups have a pattern of stealing technology from each other – if one form of technology is successful, a competing malware group will simply appropriate that into their own offerings.

Steganography Is a method of covertly communicating. Its close cousin is encryption, where the individual messages are obscured. In This case though, the entire fact that a conversation is taking place is obscured. Speaking Technically, encryption makes the messages covert, but not the communication channel - steganography makes the channel itself covert. What's worse is that both can be used together - a message can be encrypted and then the channel hidden through steganography.

Detecting steganography is difficult. The field dedicated to this topic is called "steganalysis".

The current threat from this type of technology is unclear and probably small. As This technique is somewhat new on the threatscape and appears to be gaining a foothold, as well as the potential applications of this technology, this author recommends maintaining acute awareness. If you are a large organization or one potentially prone to attacks such as APTs, more serious review and education into this technology is warranted.

Here are some potential avenues to consider exploring:

  • Awareness and exposure: There Is a lot of material available in the public domain for anybody who wishes to learn more about this technique.
  • Education And certification: There are companies that certify people to hunt for this technology, for example BackBone Security's Steganography Analysis and Research Center and WhetStone Technologies.
  • Security Testing: Customers should consider security testing to assess their risk of exposure to this technique. Things To consider when performing tests: the capability of the tools, security design, risk scenarios, potential countermeasures, threat characterization, threat behaviour, internal security procedure/workflow/escalation design.

One final note: to illustrate the nature of this technology a short message is steganographically embedded in this post using text steganography. The key is as follows: write down the first letter of each sentence where the second word is capitalized.  For the technically inclined, this is also very similar to chaffing-and-winnowing.

iPhone 5 giveaways on Facebook – a scam or what?

iPhone 5Even if it hasn’t been officially announced yet, and certainly isn’t available to the general public (unless an Apple employee loses a test model in a bar), there are plenty of scammers out there trying to trick you into believing you can get a free iPhone 5.

Here’s just a sample of the pages on Facebook claiming to be an iPhone 5 giveaway. Typically they are trying to trick you into clicking on links, driving traffic to online surveys which earns them revenue.

iPhone 5 giveaway pages on Facebook

Repeat after me 🙂

* There is no free iPhone

* There is no free iPad

Very, very occasionally, you will meet people who got an iPad “for free”. For example, the Naked Security team won one at this year’s Security Bloggers awards when we were named “Most Educational Security blog”. 🙂

But for every free iPhone or iPad offered, there are probably 10,000,000 or more fake offers.

So if you simply assume ALL “free” iPads and iPhones offered online are scams, you’re missing out on a one-in-a-ten-million chance. In other words, you’re missing what is mathematically almost indistinguishable from nothing, zero, zilch.

But each time you enter one of these online giveaways, you could be handing over your personal information to scammers and putting money into their pockets.

And you don’t want to do that, do you?

It’s widely anticipated that Apple will announce the iPhone 5 sometime this month. But don’t hold your breath about them offering it for free.

By the way, if you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 100,000 people regularly discuss the latest attacks.

Hurricane Irene clickjacking scam on Facebook

Hurricane IreneStates in the USA, such as Vermont and New Jersey, are continuing to deal with heavy flooding in the aftermath of Hurricane Irene.

And we weren’t surprised to find internet scammers attempting to profit from other people’s misery.

For instance, here is a clickjacking scam which at the time of writing is still active on Facebook.

Hurricane Irene Facebook clickjacking scam

This Facebook page reads:

VIDEO SHOCK - Hurricane Irene New York kills All

All? Hmm.. that would be a rather fanciful claim even for the most sensationalist tabloid report. But maybe it will be enough to make you click further.

Hurricane Irene Facebook clickjacking scam

BAM! Too late. You’ve been clickjacked. Even before you’ve had a chance to notice that the page is suddenly talking to you in Italian, the webpage has taken your click onto what you thought was the video’s play button and secretly behind-the-scenes tricked you into saying you “Like” the page – thus promoting it to your online Facebook friends.

If you were running an add-on like NoScript for Firefox you would have been protected by a warning message:

Hurricane Irene Facebook clickjacking scam intercepted by NoScript

But let’s imagine that you weren’t protected. What happens next?

Hurricane Irene Facebook clickjacking scam

The page insists that you share the link to the Facebook page, presumably in an attempt to increase its viral spread. So far things don’t seem to be working well for the scammers – as only 12 people have said they “Like” the page (and one of those is my test account). Maybe folks are suspicious about a claim that Hurricane Irene has killed *everyone* in New York.

Hurricane Irene Facebook clickjacking scam

You’re still keen to watch the video, of course, but first the scammers want you to take an online survey – which not only asks you for personal information but also can earn them commission.

If you are hit by a scam like this you should remove the page from the list of pages that your Facebook profile likes..

Unlike Hurricane Irene Facebook clickjacking scam

..and remove it from your newsfeed, reporting it as spam to Facebook.

Remove Hurricane Irene Facebook clickjacking scam

The good news is that this particular scam hasn’t become widespread, but many others do.

If you’re a Facebook user and want to keep up on the latest threats and security news I would recommend you join the Sophos Facebook page – where more than 100,000 people regularly discuss the latest attacks.