LulzSec Bust a Blow to Anonymous? Not So Fast
When an FBI official crowed to FoxNews earlier today that " We're chopping off the head of LulzSec," was there truth in the boast or just a bunch of hyperbole?
Clearly the agency chopped off something. As was widely reported, law enforcement agents on two continents arrested three top members of the computer hacking group and charged two more with conspiracy, based on evidence gathered by LulzSec's leader, who multiple sources said had been secretly working for the government for months, at least since his arrest last summer.
But security experts say it's too early to tell how much damage has been done to the hacking groups that operate under the loose affiliation of Anonymous.
Nick Selby, a Texas police officer and information security consultant, likens it to the U.S. government taking out Osama bin Laden. That was a severe blow to al Qaeda, but it did not eliminate the threat.
"The nature of these groups is that leaders are important and serve as role models, but the group itself is amorphous," he says.
Chet Wisniewski, senior security adviser at Sophos, says he thinks authorities may have "pretty well mopped up" LulzSec. "But they were a pretty small group. To say that they've put a real dent in the Anonymous movement -- we don't really know that yet."
And Graham Cluley, also of Sophos, wrote in a blog post, "It's cloud cuckoo land to believe that the hacktivist element of Anonymous will fall apart because of this."
Still, both Selby and Wisniewski say the damage could be significant for several reasons: First, neither disputes a quote reported in the New York Times from Cole Stryker, an author who has researched Anonymous. According to Stryker, "Anonymous is a handful of geniuses surrounded by a legion of idiots."
To that, Rob Rachwald, writing on the Imperva Data Security Blog adds, "It seems the FBI is taking down the geniuses to paralyze the idiots."
Or, as Selby puts it, "What is the barrier to entry for somebody who wants to be part of it? It's extremely low. It doesn't require massive technical skills -- just reasonable knowledge and a willingness to break the law.
Second, Wisniewski says among those arrested are some "strong leaders. I'm surprised they messed up. Some of them are really quite clever."
That, he says, sends a message that even the smart ones can get taken down.
Third is that, in the case of LulzSec, one of their own turned against them.
The hacker "Sabu," whose name is Hector Xavier Monsegur, 28, is described as an unemployed Puerto Rican father of two, living in a public housing project in New York's Lower East Side.
According to the US Attorney's office for the Southern District of New York, Monsegur pled guilty last August to three counts of computer hacking conspiracy, five counts of computer hacking, one count of computer hacking in furtherance of fraud, one count of conspiracy to commit access device fraud, one count of conspiracy to commit bank fraud, and one count of aggravated identity theft. He faces a maximum sentence of 124 years and six months in prison.
All it took for him to compromise himself, Wisniewski says, was one careless mistake. "He logged into a chat room and forgot to anon himself, and that gave away his identity and other personal information."
His arrest, charges and possible sentence, says Wisniewski, was also probably more than enough to flip him to helping the FBI.
"We're all pretty soft," he says, "not the kind of guys you would confuse with mob heavies. To people like us, it's kind of scary that FBI has been able to flip people in the past and will do so again."
So, while Anonymous might try to launch a new string of attacks in retaliation for the arrests, Wisniewski also believes the day's events may also chill communication within the group.
"They may worry that there are other people on the inside feeding information to the FBI," he says, so they may anonymize themselves from others on the inside, which is possible with electronic crime."
The message is also out there that while Anonymous may gain followers and publicity with stunts like putting confidential law enforcement telephone conversations on YouTube, or with their "F--- FBI Friday" that they have been running for a year or more, that law enforcement is as tenacious as they are.
"Part of the Anonymous slogan is, 'We do not forgive. We do not forget.' Well, that's what the FBI does too," Wisniewski says.
"I think there may be something of a crisis of confidence, with the knowledge that there was a rat in their midst."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.