Hacker arrests: Why Anonymous might not be so anonymous
This week's arrests of 21 members of Anonymous in the US and Europe show that, given time and resources, cybersleuths can track down hackers. But doubts remain over whether authorites caught any big fish.
The arrests of 21 individuals Tuesday connected with the Anonymous group and other computer hackers suggest that the suite of digital tools that hackers use to obscure their identities is not foolproof and can be cracked with significant sleuthing.
Questions remain about whether the 14 are relatively novice hackers that were easy to track. But often the greater question in solving an Internet attack is not whether a breakthrough can be made, but rather whether it is worth the time and resources needed.
Often, perpetrators are caught bragging on online forums. Other are caught making elementary mistakes. But finding and nabbing the top hackers takes time and money.
"If [hackers] use the right privacy measures to mask their Internet service provider, it would take international cooperation and a lot of hard work to get at them," says Ashera, the pseudonym for a cyber security investigator at Backtrace Security, who spoke on condition of anonymity. "These guys say, 'Ok, I've got my IRC, my chain proxies, I'm logged into a shell, and I'm logged onto another computer, too….’ But they're not as anonymous as they think they are."
The 21 people arrested Tuesday come from 10 states, the District of Columbia, Britain, and the Netherlands. Of those, at least 16 were linked by authorities to cyberattacks against PayPal last year, in which hackers claiming to be part of Anonymous clogged access to the PayPal website for customers.
Anonymous and an affiliated hacker group called LulzSec have been taunting law enforcement authorities for months, breaking into corporate websites like Monsanto, the Arizona Department of Public Safety, Sony, and PBS – and then bragging about it.
That bravado can sometimes be the undoing of hackers. A student at the University of Central Florida, for example, tweeted victory message from a Twitter account dubbed "voodooKobra" after he broke into a server belonging to Infragard, a site for companies and federal authorities involved in homeland security, and stole three files.
Authorities used the information in the tweet and other digital snippets to track down the culprit.
In cracking such a hacking case, much depends on how much time and effort law enforcement authorities are willing to devote to tracking down a perpetrator.
"Right now, anyone can use anonymizing tools freely available on the Internet to give the authorities the runaround long enough to make many investigations approach that point where a judgment call must be made: ‘Do we actually follow through with this one?’ " says Zachary O'Leary, an Internet governance researcher at the University of Edinburgh.
Yet the idea of cracking down on anonymizers could have negative consequences, too. In China, for instance, tools that strip off or otherwise cloak the internet address of a computer are helpful for journalists and human rights activists.
"When you're talking about authoritarian control in dictatorial countries, these anonymizing tools are looked at as tools of liberation rather than anarchy as they have been used by LulzSec or Anonymous," says Hal Roberts, a researcher at the Berkman Center for Internet & Society at Harvard University.
Some tools, however, might lure relative novices into a false sense of security.
For instance, Anonymous has created its own computer weapon – the Low Orbiting Ion Cannon (LOIC). It’s designed to be an easy way for anyone to contribute anonymously to coordinated attacks against big corporations like PayPal, Mastercard, or Visa. Just download the software and fire.
But law-enforcement sleuths may actually be able to use LOIC to their advantage, say cyber security experts and Internet privacy experts. More savvy Anonymous users take many measures to cloak their identity.
Indeed, the online "Anonymous Security Starter Handbook" takes 52 pages to describe ways to cloak Internet activity – from virtual private networks and "proxy" computers to Internet-relay-chat forums.
"Basic Rule: Use as many security layers as possible. The question is not whether you are paranoid, but whether you are paranoid enough?" the handbook states.
Yet some neophyte hackers may rely entirely on certain versions of LOIC, which do little to shield identities of those who downloaded the software.
The fact that LOIC was cited repeatedly in the federal indictment for the 14 hackers arrested Tuesday in the US suggests to some security experts that key organizers may not yet have been arrested. The hacker handles and real names of suspected ringleaders who are not yet arrested have emerged – outed by rival hacker groups like the A-Team or the Jester, purportedly a former US military computer expert.
"Anonymous and LulzSec are groups that inspire bravado and get people interested in causing damage," Mr. O'Leary says. "Someone may just download a tool, but they don't understand the grand scheme of things. They're maybe not really hackers, just people with enough knowledge to get themselves in trouble."