Posted by david b.
on April 12, 2013
Highlighting the typical mistakes to avoid, The Grugq provides real-world examples where actual hackers got busted due to unacceptable indiscretion.
LulzSec’s notorious Sabu and some of his freedom-fighting pals
If you’re trusting people to keep their mouths shut, which you should never do, they won’t. This is why VPNs are not actually secure. VPNs would only be secure if you trusted that the operator of the VPN is going to go to jail for you. This is not going to happen, as these dudes (see left-hand image)
found out. That would be Hammond and the other one, and then two other dudes. No one is going to go to jail for you. When Sabu fucked up and got busted, he flipped immediately, same day, and turned everyone else in. Your friends will betray you; you really cannot trust these people.
LulzSec: Lessons Learned
Trust no one
So, Hammond, who actually had reasonably good OPSEC activities, ended up being busted, because he revealed a large amount of personal profiling information during chats, which were then used to incriminate him later. So, here’s the LulzSec indictments (on right-hand image)
. Hammond at one point says to Sabu he’s been arrested for weed to 2 weeks in county jail, and then he says: “Don’t tell anyone, because it could compromise my identity, but I am on probation.” If you have to say “Don’t tell anyone”, you shouldn’t be telling that person. If you know it’s going to compromise your identity
, why the fuck are you telling it to anyone? Never ever do this; never trust anyone, particularly your criminal co-defendants.
Violation: Never trust anyone
Don’t use services like Facebook to send potentially incriminating stuff
Ok, this is hilarious. This dude, Donncha Carroll, some Gaelic name, had been defacing political websites for Irish political parties in order to get the defacement code to put up. His friend used Facebook to send it to him (see right-hand image)
. They sent a copy of the defacement code via Facebook Messenger. Don’t do that; that’s a terrible fucking idea. So, his Facebook in his real name is now linked directly to this. There you go – ProTip: don’t use your personal Facebook account to send defacement code to freedom fighters; terrible fucking idea.
Avoid associating your real name with username
Again, when he was logged into IRC and talking with people, his username, the username that he used on his computer or on his IRC client before he logged in, was his real first name. And then, regardless of which nickname he used, which handle he had on IRC – his IP stayed the same, his username stayed the same, and he would do things like ‘/nick’ in the same channel to swap from one ID to the other (see image to the left)
. It turns out that that’s not very effective. That is not a good way to hide your identity. So, clearly, in this case you want to never provide personally identifiable information in your online name, and you want to avoid contamination. He did not avoid contamination in this case, so each of those usernames, each of those online IRC nicknames was contaminated by the others.
Do NOT contaminate
He directly contaminated in this case (see right-hand image)
, CW is Sabu, the covert witness. Sabu says to him: “Who is this?” And he is logged in as polonium and he responds: “This is palladium”. Again, don’t contaminate. You need to know which identity you are using.
Violation: Don’t contaminate
Keep personal life separated from freedom fighting
In this case Hammond was talking with Sabu and telling him about his lifestyle choices and how he operates. In particular he mentioned this very unique thing that he is a “freegan goddess” (see right-hand image)
. Freegans are people that dumpster dive for food. So, when he was under surveillance by the FBI when they thought they had the right guy and they observed him dumpster diving for food, that demonstrates that he’s a freegan and they could link it back to the statement that he’d made earlier. So, he had provided profiling information in his online chats, and that was used to bust him. A good example of keeping your personal life completely separated from your freedom fighting activity is to not talk about things that are personally identifiable to you.
Violation: Keep personal life and freedom fighting separate
Don’t use home IP address when connecting to target
This one is fucking genius (see right-hand image)
. We’re back to Donncha, the dude who used Facebook to send his defacement codes. He also used his home IP address; he used his actual home computer to log in to a compromised Gmail account to access one of the Irish police Gmail accounts. Don’t do that; definitely do not operate from your own home, that’s an incredibly fucking dumb idea. So, again, don’t connect to your target directly from your home IP address. You would think that this would be obvious, but never operate from your own home.
Never operate from home when hacking
Hammond had also contaminated previously; he had used his own home IP address when he was hacking into some white supremacist sites. He hadn’t been busted for that, but he had been put on lists. That’s an important thing to do – to avoid being put on lists. They used lists of people who were known hackers from previous activity, and this was one of the lists that they used when they were narrowing down who the potential suspects were. Never operate from your own home.
Violation: Never operate from your home
Don’t reveal operational details
They actually did some really impressive stuff: they used Wi-Fi triangulation to figure out which Wi-Fi signal coming from his house was actually his and figured out that it was coming from the rooms that he rented, tracked that down, and then from there, I’m assuming that he had some Wi-Fi encryption – it’s unlikely he was just using an open network, but they hopped onto his network, and then they used that to do a ping trace, and they also linked the MAC address of his computer against the statement that he’d made earlier about how he uses Apple products. They used the MAC address to show that he was using a Mac, and he had said earlier that he was using a Mac. So, again, this was used to compromise his identity and pop him, and that is because, again, he revealed operational details of what he was doing. So, don’t reveal your operational details, don’t tell people how you are doing things.
Complaints of TOR being slow turned out close to disastrous
This is another example of how he revealed operational details: he complained frequently about how TOR was slow, how YouTube didn’t work and how annoying it was to use TOR (see left-hand image)
. When they were monitoring his traffic, they were able to show that all of the traffic leaving his house was going directly to TOR, so that was used as a piece of circumstantial evidence against him as well. By him revealing operational details of how he conducted his activities and how he operated, it was possible to then observe those particular operational details in action and link them to him.
Gmail logs might do you a bad favor
This is an amazingly stupid activity. Here Sabu was supplied with an IP address from the Gmail logs. When they went to the Gmail logs of access to that compromised Irish police site, they found some that were anonymous and appeared to originate from Ireland. They said: “Can you find out who this is? We believe it’s palladium’s”. Sabu took that IP address and said to palladium: “Do you recognize this IP address?” And palladium, because he’s a fucking genius, said: “Yes, that looks like the one I connect from” (see image above)
Also, palladium had said that he was using a particular VPN network to connect to his targets. The IP addresses from the Gmail logs were from this particular VPN network, and again Sabu asked him: “Do you use the Perfect Privacy VPN?” And again, palladium answered: “Yes, I use that VPN”. Please send me to jail…
Again, do NOT disclose operational details to anyone
All of the access to the compromised Gmail accounts occurred from the guy’s home address or the one VPN that he’d stated that he uses. So, obviously, he’s going to jail. Once again – never reveal your operational details, do not tell people how you operate, don’t tell them what you’re doing.
Violation: Don’t reveal operational details
Read previous: Hacker’s Guide to Stay out of Jail 2: Do’s and Don’ts
Read next: Hacker’s Guide to Stay out of Jail 4: Be Paranoid and Never Contaminate
Like This Article? Let Others Know!
Comment via Facebook: