Posts Tagged ‘#W0rmer’

Imperfect Cybercrimes

April 19, 2012 1 comment

Law Enforcement Agencies are taking their revenge against the Hacktivists who mostly targeted them during the last months. In a deadly and unexpected sequence, the last 40 days have seen the heads of three infamous hacking crews falling under the blows of FBI and Scotland Yard.

One after the other, the key members of LulzSec, CabinCr3w and Team Poison have been arrested and in all but one case (that is the arrest of the alleged members of Team P0ison for which no details are known so far), the events have unveiled some surprises and unexpected details. Moreover, at least three arrests have been possible since the hackers left behind them a trail of mistakes which allowed the investigators to connect the dots and link their twitter accounts to their real identities.

The following table depicts the facts which may be better summarized from the Criminal Complaints which are reported below for:

As you may notice, in two cases, W0rmer and ItsKahuna, the hackers were betrayed by two familiar technologies which are commonly considered dangerous for users’ privacy and identity: social networks and mobile devices. Sabu was the one who really did a “technical mistake” by connecting to an IRC without protecting his IP address with TOR.

Interesting to say is also the different approach of FBI and Scotland Yard. Once discovered the real identities of the hackers the Feds tried to “enroll” them as informants, at least in one case (Sabu) this strategy was winning. At the opposite the Britons immediately caught the alleged culprits without giving any detail about their identity, maybe hoping the arrest could act as a deterrent for the other hackers. Apparently it looks like this latter strategy was not completely successful since the CabinCr3w survivors are threatening authorities, inviting other Blackhats to join them for the revenge.

Last but not least, I cannot help but notice the tweet below for which I remember to have been particularly impressed when I first saw it since, at that time, I considered it a too much imprudent. Consequently I was not that surprised when I saw it quoted in the Criminal Complaint.

At the end we are becoming more and more familiar with mobile phones and Social Network, so familiar to forget their level of intrusiveness and the related dangers for our privacy. As an example try to verify how many of you and your friend toggle Geo-Tagging off from their phone cameras. (Un)fortunately, it looks like not even the bad guys are immune from this.

Read more…

FBI HaZ A File on HIM

April 14, 2012 2 comments

Last week, while browsing the 2012 Cyber Attacks Timeline, I could not help but notice the huge amount of cyber attacks that the collective @CabinCr3w did between January and February 2012 in the name of the so-called #OpPiggyBank. You will probably remember that most of those Cyber Attacks, made in combination with @ItsKahuna, were targeting Law Enforcement Agencies in support of the occupy movements. The crew was not new to such similar actions (for instance they doxed the Citigroup CEO in October 2011), in any case I was impressed by their sudden peak and by the equally sudden disappearance in the second half of February.

Few clicks on Google were enough for me to came across an article on Threatpost that I had missed a couple of days before.

On March 20 federal authorities had arrested Higinio Ochoa, AKA @Anonw0rmer, a resident of Texas accused of working for the hacking group CabinCr3w. He had been taken into custody by FBI agents and charged with unauthorized access to a protected computer in a criminal complaint dated March 15 whose Offense Description indicates an “Unauthorized Access to a protected computer” made on February 2012 in the County of Travis, District of Texas.

The rich Resumé of the @CabinCr3w, part of which is listed on the Criminal Complaint, includes 10 cyber attacks made between January and February 2012, in particular one against the Texas Police Association, on February the 1st 2012, and one against the Texas Department of Public Safety, on February, the 8th 2012. The latter, at least according to an alleged self-written memorial that W0rmer Higinio Ochoa allegedly posted on pastebin on Mar 30 2012, is maybe the one for which he was charged.

The list of the facts contained in the Criminal Complaint and how the FBI combined them to identify Higinio Ochoa and to join his real identity with the virtual identity of W0rmer, is a brilliant example of Open Source Intelligence clearly summarized in this article by ArsTechnica. Incredible to believe for a hacker, who should be supposed to clean each trace he leaves on the cyber space, is the fact that the main security concern for a mobile device, the geo-tagging feature, was one of the elements which led Investigators to Higinio Ochoa. By mining EXIF data contained in a photo on the web page left after the defacement of the Texas Department of Public Safety (showing a woman in a bikini with the sign: “PwNd by w0rmer & cabincr3w”), the Feds were able to collect the GPS data in the image, and to consequently identify it was taken with an iPhone 4 at a location in South VIC, Australia. By browsing the (inevitable) Ochoa’s Facebook Profile, the agents also learned that a girlfriend of him, Kylie Gardner, had graduated from a high school in Australia, the same country in which the first photo was shot.

Inevitably, this event has (too) many points in common with the affaire of Sabu, the alleged leader of the infamous LulzSec Collective, arrested by the Feds approximately a month before.

Both crews, LulzSec and CabinCr3w, targeted Law Enforcement Agencies, both crews met the same destiny: hit in the heart (or better to say in the head) by those same Law Enforcements they mocked so deeply during their days of lulz.

But the points in common do not end here… Sabu was discovered to act as an informant of FBI, and the above quoted pastebin suggests that W0rmer did the same prior of his arrest.

Were you ever approached to be a confidential informant? Of course I was! Some body such as myself who not only participated in the occupy movement but knew many and knew the inner workings of the “infamous” cabin crew would not be just put away without wondering if he could be turned. I did how ever tell FBI that I would participate in the capture of my fellow crew  mates

Even if it is not clear if his cooperation was really genuine. As a matter of fact in the following sentence, he refers to his role as an informant as a “play” which created confusion on FBI:

a play which undoubtfully both satisfied and confused the FBI

Maybe this is the reason why the Twitter account of the CabinCr3w on April 3, tweeted:

(Curiously it looks like at 00:04 (UTC +1) this tweet has just disappeared)

In any case the court documents indicate that Ochoa first appeared in federal court for the Southern District of Texas on March 21, subsequently released on bail and forbidden to use a computer or smart phone, hence it is possible that the post on pastebin, which is dated March 31st, has not been written directly from his hand.

Last but not least there is a strange coincidence: W0rmer had a twitter account with the nick @AnonW0rmer who ceased to tweet on March, the 20th (@ItsKahuna ceased to tweet on March, the 23rd while @CabinCr3w is the only still active). Guess what is the name associated with the @AnonW0rmer account? FBI HaZ A File on ME. A dark omen or a dissimulation?

February 2012 Cyber Attacks Timeline (Part I)

February 16, 2012 1 comment

February 2012 brings a new domain for my blog (it’s just a hackmaggedon) and confirms the trend of January with a constant and unprecedented increase in number and complexity of the events. Driven by the echo of the ACTA movement, the Anonymous have performed a massive wave of attacks, resuming the old habits of targeting Law Enforcement agencies. From this point of view, this month has registered several remarkable events among which the hacking of a conf call between the FBI and Scotland Yard and the takedown of the Homeland Security and the CIA Web sites.

The Hacktivism front has been very hot as well, with attacks in Europe and Syria (with the presidential e-mail hacked) and even against United Nations (once again) and NASDAQ Stock Exchange.

Scroll down the list and enjoy to discover the (too) many illustrious victims including Intel, Microsoft, Foxconn and Philips. After the jump you find all the references and do not forget to follow @paulsparrows for the latest updates. Also have a look to the Middle East Cyberwar Timeline, and the master indexes for 2011 and 2012 Cyber Attacks.

Addendum: of course it is impossible to keep count of the huge amount of sites attacked or defaced as an aftermath of the Anti ACTA movements. In any case I suggest you a couple of links that mat be really helpful:

Read more…

Categories: Cyber Attacks Timeline, Cyberwar, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Get every new post delivered to your Inbox.

Join 3,319 other followers