We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 24
That information would then be stored in HashKiller’s database, so if anyone tried to crack the password “parmy” and had the MD5 hash, he could do it instantly. The result from Hashkiller.com would look like this:
Cracking hash: 11dac30c3ead3482f98ccf70675810c7
Looking for hash…
Plain text of 11dac30c3ead3482f98ccf70675810c7 is parmy
It was that simple. This was why it was a bad idea to use single-word passwords, like “parmy” or—even worse, because it is commonly known—“shithead.” Each password always had the same MD5 hash. And once it was in HashKiller.com, everybody knew it. A lack of context kept things relatively secret: everyone could see the hashes and cracked passwords in plaintext but nothing else. Using the site was free, and Sabu had only to sit back and wait for the passwords to be cracked by volunteers.
Once someone cracked the admin’s password, the surprisingly easy “st33r!NG,” Sabu created a web page that he secretly attached to the website for Infragard Atlanta, known as a shell. It was the same sort of page that the site’s administrators would use to control its content, allowing him to add new pages or delete others. The difference was that the admins knew absolutely nothing about Sabu’s page. Since the page for the original control panel had been xootsmaster, Sabu named his new shell page /xOOPS.php. He could have just gone through the main control panel since he had the right password, but that would mean clicking through a series of options and a long list of directories. The shell was a more simply designed page that made it quicker and easier to mess with things.
The team lurked on the site for a few weeks while sitting on its entire username and password base: twenty-five thousand e-mails from the personal accounts of the site’s users, a mixture of security consultants and FBI agents. Topiary and his friends had all their passwords, full names, and e-mails. If Topiary had been feeling malicious, he could have logged into the PayPal accounts of one of the more senior users and started splashing money all over the place.
“That would be bad,” he said at the time.
They had access that could let them deface the site in seconds, but they would wait it out. The crew was still feeling the heat from HBGary, the #HQ log leaks, and Backtrace, and they weren’t quite sure what they were becoming yet. So they settled for spying on the users’ Gmail accounts, just watching the mails roll by. Nothing particularly significant was being discussed, but the group decided that if one of them got arrested, they would publish everything.
“Most professional and high-level hacks are never detected,” one hacker with Anonymous who went on to support Sabu and Topiary’s team said months later. Not long after the Infragard breach, another group of hackers broke into the computer network of Japan’s parliament, stealing login information and e-mails. It had taken three months before anyone figured out what had happened. The hack had involved infecting the computers with a virus, most likely by sending employees e-mails that carried Trojans. This was how script kiddies worked, the Anonymous hacker said dismissively. It was loud, common, and didn’t require much skill.
Sniffing around passively without anyone knowing always made sense. You could steal a database, sell it to spammers, and move on to other ways of hustling for money. With Anonymous, there was also that obligation to cause a stir. But it depended what you had hacked into. The Anon claimed that when he breached a network, most of the time he acted “passively.” At one point, for instance, he and another team had found a hole in a large foreign-government server leading to data on various hospitals. His team did not disclose the data and instead notified the admin of the problem. They even deleted their own copy of the data, since releasing the information would be “counterproductive.” On that same hack, however, they also found an administrative server for that same foreign government that contained all IP ranges for its online services. “We sure released that,” he said.
The paradox for hackers who became part of Anonymous was that there was suddenly a reason to go public with their leaks to make a point. With Infragard, Sabu, Kayla, and Topiary were taking the sniffing-passively route. What the group did with this information would set them apart from other hackers who sought money, curiosity, or a sense of personal achievement. They just needed the right moment.
Chapter 17
Lulz Security
Soon it became clear to Sabu, Topiary, and Kayla what they were really discussing: the creation of a new hacking team. It would be, in one way, like WikiLeaks. It would publish classified information that hadn’t been leaked, but stolen. The idea didn’t sound as nerdy as Topiary had thought a few months back.
They decided unanimously that they did not want to be constrained by the broad principles underlying Anonymous, which were:
choosing targets because they were oppressors of free expression
not attacking the media.
The idea was to do whatever it took to inspire Anonymous with new lulz, and maybe even grab the limelight again. In Topiary’s mind, this would lead to something far greater than any of the pranks he had ever pulled. The whole idea of lulz didn’t sit comfortably with Sabu, who was more interested in hacking as a form of protest. But he realized Anonymous needed some inspiration, and he figured he could steer Topiary and the others toward more serious pursuits. Kayla was just happy at the chance to tear up the Internet again, and since they needed to target more than just the Infragard website, she started looking for the Web’s hidden security holes the same way she had secretly done for WikiLeaks’s q.
Kayla had a powerful web script that let her scan the Internet for any website with a vulnerability. This process of looking for security holes in many different websites at the same time was called automated scanning, or crawling. When she was ready to start using it, Kayla hooked the bot to Sabu’s chat server and then cast it out like a net. She had only to type commands into the chat box, like find SQLI, to direct it. The bot constantly churned out new addresses of web pages that had vulnerabilities, then filtered them again. She had spent hours configuring the script so that certain types of URLs would show up in different colors. There were hundreds each day, and about 20 percent led to security holes. About 5 percent led to databases of ten thousand users or more. Over the course of two days, Kayla scoured the websites of hotels, airports, and golf clubs, even Britain’s National Health Service, leading the team to hundreds of thousands of user details. They started stealing (or dumping) the info and came up with eight databases containing fewer than five thousand usernames and passwords and two big ones, of five hundred thousand and fifty thousand.
By now Tflow, AVunit, and the Irish hacker from #InternetFeds named Pwnsauce had joined, making them a team of six. It was a number and set of names that would remain fixed to the end. Pwnsauce was a skilled and amiable young man who had been involving himself with Anonymous since October of 2010, when he helped with the attacks on anti-piracy groups. Now he was happy to help comb the Internet for security holes.
“Sabu, I may have a lead here,” he said at one point after finding something. When asked why he was working with the team, he said that while he agreed with the aims of Anonymous, “moreso I am here because of the people.”
“I’ve never found more respectable and hardworking people in my life than those in this group,” added Topiary, who had been part of the conversation. “And likable.”
Anonymous attracted hackers with a conscience, Pwnsauce explained. In a past life he had consorted with a “horrible mix” of hackers who “either did not know what they were doing or who solely wanted to steal from people.” These were people who stole credit card details from small retail outlets and chains. Mom-and-pop shops and gas stations were frequently the easiest to hack when they stored credit card information at the end of the day, data that often included the security codes on the backs of people’s cards—even though saving them was illegal. They saw these targets as easy pickings, but Pwnsauce had found a more interesting and varied bunch of people on AnonOps, and since they had a wider array of skills, h
e claimed to have learned three times as much about programming and the Internet itself from Anonymous than from darker hacking circles.
Pwnsauce was studying biology but longed to get out of Ireland. When he wasn’t studying or dealing with what he would only describe as “family issues,” he, like Kayla, was in front of his computer, poking around the back ends of websites in what felt like a lifelong exploration of the Web’s hidden vulnerabilities.
“He’s a perfect blend of technical skill and imagination,” Topiary later said of Pwnsauce. The two of them once had a lengthy discussion about the best way to disrupt an airport’s security system, which moved them to remotely jack into a McDonald’s menu screen and import green hacker text to confuse its attendants. “We were in hysterics,” Topiary remembered. “I really want to have a pint with this suave Irish gentleman.”
One of Pwnsauce’s friends in the hacking scene was a fellow Irish hacker named Palladium; the two had hacked into the Irish opposition party Fine Gael and called out Anonymous as being responsible back in February. Palladium had come in when the team had found a vulnerability but needed help carefully and secretly exploiting it to take internal information.
In mid-April, Tflow had found a vulnerability in the servers of media powerhouse Fox, but he hadn’t done anything with it. He showed it to Palladium, who was able to get a shell on it and break in. The two decided to collaborate on breaking into Fox. One of them eventually found a sales database that held the personal information of Fox employees and journalists and seventy-three thousand e-mail addresses and passwords for people who wanted to receive updates on auditions for the network’s forthcoming X Factor, a talent show on American television. This was a model for how the group would later operate—keeping strategic decisions to the core six but working with a second tier of trusted supporters to help them carry out attacks.
After breaching the Fox servers on April 19, the team members stayed there for days leeching all sorts of data, from user logins to the passwords of radio station announcers. The team hadn’t set out to attack Fox, but its vulnerability stood out among all others because it was a right-wing media force that most people in the Anonymous community hated. They hoped to find something funny in the trove of personal information.
It took a week for Fox’s IT administrators to notice the breach, but by then the team had reams of data to sift through; it had been handed over by Tflow, who had received it from Palladium. Topiary told both of them that he would go through a list of about three hundred and fifty Fox staff members and test their names and passwords out on social media sites like Twitter and LinkedIn. It would be a slow, methodical process, but hopefully he would find the misfortunate few who had reused the same passwords (as Aaron Barr had done) so he could then hack their accounts and create another shitstorm.
Kayla’s scanning script had brought in a hefty list of vulnerabilities, and Topiary, who had had only a basic knowledge of hacking five months before, also found the transaction logs of 3,100 ATMs in the United Kingdom. With normal hacker groups, none of this information would have ever seen the light of day. It would have been stored for the hackers’ own personal collections or sold to spammers. But Topiary, Sabu, and Kayla were coming from the world of Anonymous, where you didn’t hack just for data but to make some sort of social or political point. Their twist would be, for now at least, that there was no significance to the release all. They would publish it for shits and giggles, for lulz. It was a badge for Anonymous as much as for their small, increasingly tight-knit gang, and it meant they had a wider array of potential targets to hack into and leak. First things first: the team needed a name.
That task fell to Topiary and Tflow, who decided it was paramount that the name included the word lulz. They toyed with the combination of several names until they got to Lulz Leaks. It seemed to fit with their modus operandi, so Topiary created a Twitter account for the name on May 3 and put out a single first tweet: “There is much to do—prepare yourselves.” A little while later, he needed to do a second tweet, but he couldn’t sign into the account—he had forgotten the password.
The two went back to the drawing board. Lulz4ULeaks and Lulz Cannon were a mouthful, and the Lulz Boat, which they liked, was already taken on Twitter. Then they thought about a name that would be a twist on Backtrace Security: Lulz Security. Topiary checked and @LulzSec was free as a Twitter account. He set up a new account, this time making sure he had a record of the password, then wrote a bio that read simply “LulzSecurity® the world’s leaders in high-quality entertainment at your expense.”
They needed a picture, so Topiary looked through a folder of two thousand images called reaction faces. Anyone who used 4chan had a folder like this to illustrate responses on a thread. He picked the drawing of a mustached man wearing a monocle and a top hat and holding a glass of red wine. Topiary had no idea where it had come from, never considering that, given Topiary’s lazy eye, the man with a single lens might be representing him.
It was time to give Anonymous a peek at what they were working on. When the names Topiary, Kayla, and Sabu suddenly appeared in a key AnonOps chat room for the first time in more than two months, there was an almost visible buzz.
“You know shit is going down when the HBGary hackers are here,” someone said.
“Is that THE Sabu/Topiary/Kayla?” another asked.
Hearing that Anonymous supporters were at that time keen to attack the U.S. Chamber of Commerce, Topiary and Kayla started looking for vulnerabilities in the site right then, racing to see who could find the most. Topiary was quickly trounced. The two then started pasting the page addresses for each of the security holes in the chamber’s site into the chat room. The chat room participants cheered and thanked them. Soon word got out that the core HBGary trio were up to something big.
LulzSec, as hackers, were in very new territory. Stealing data was one thing, but announcing it through Twitter so the press could report on it was odd. Topiary volunteered to the others to write a short statement to accompany the Fox and X Factor releases, which would otherwise have been just long lists of data. Everyone agreed. It was clear that Topiary’s role would always be that of mouthpiece for the group. Nobody really thought about who should man the LulzSec Twitter feed—it was just obvious that Topiary would do it. He published the statement via the application Pastebin.
“Hello, good day, and how are you?” it started. “Splendid! We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: Fun.” This was a world away from the grave admonishments he’d written for Anonymous press releases, the ones that had scolded PayPal for “censoring WikiLeaks” or that had warringly told HBGary “you don’t mess with Anonymous.” If Anonymous had been the six o’clock news, LulzSec was The Daily Show, publishing similar content through a similar process, but spun primarily to entertain, not to inform or encourage. They were free agents.
On May 7, he put out the first LulzSec tweet announcing that Fox.com had been hacked. “We’re releasing the X-Factor contestants database publicly tonight,” he said, adding, “Stay tuned. Wink, wink, double wink!” A few minutes later he let it rip.
“And here you are my lovely Internet folks, the X-Factor 2011 contestant database.” Topiary added a link to a torrent file that Tflow had packaged and put up on The Pirate Bay website, as he had done months before with the HBGary e-mails. Topiary hadn’t been expecting an immediate response from Twitter users or from blogs, but the silence that followed over the next few seconds, then minutes, then hours, was deafening. Three days later Topiary published four more Pastebin pages of the Fox.com data, with another lighthearted introduction and more tweets. At this point, but only for a little while longer, hardly anyone was noticing.
Chapter 18
The Resurrection of Topiary and Tupac
Topiary kept checking Google News for any mentions of Lulz Security or the leaked usernames from Fox and X Factor. He noticed there were hardly any menti
ons besides a few blog posts from technology news sites. No one seemed to care.
If an individual or group had thousands of Twitter followers, it was more likely to create a buzz among bloggers and journalists and, eventually, to create headlines. Topiary’s imaginative writing style, honed by many hours writing for the satirical website Encyclopedia Dramatica, came into play here. He could write a series of acerbic comments soaked in the parlance of Internet subculture in just a minute or two. It came naturally.
By the end of his first day using the LulzSec Twitter account, May 7, Topiary had amassed fifty followers from eleven tweets. The tone was tongue-in-cheek, cheerful and irreverent, quoting lyrics from the tacky pop song “Friday” by Rebecca Black and taunting the official Twitter feed of X Factor: “We stole your shit and now we’re going to release it! Thoughts?”
Twitter, despite its 140-character limits and status as a gimmicky tool for the social media elite and technorati, could be a powerful communication tool. If it was used smartly and prolifically, thousands of people could start paying attention to LulzSec. By using the @ symbol, or simply by saying a name, he could speak to anyone who had a Twitter account.
The following morning he employed Sabu’s tactic of dangling the prospect of more tantalizing leaks: “Guys and girls, we’re working on lots of fun right now! Here’s your Sunday secret: We’re nowhere near done with Fox.”
On Sunday, May 9, the followers had inched up to around seventy-five, but Topiary kept up the showman-style enthusiasm, as if each tweet were being blared from a ringmaster’s bullhorn. “Monday spoiler: today’s leak will be significantly smaller in quantity, but vastly higher in quality,” he broadcast. “You guys like passwords? So do we!”