It was pretty astounding to hear that the feds had arrested 16 people yesterday in connection with Anonymous and LulzSec hacking attacks. Of them, 14 were indicted for participating in distributed denial of service attacks as part of Anonymous's Operation Payback, which took down the Mastercard and Paypal sites because they stopped processing donations to Wikileaks. But two of the hackers arrested yesterday had very different charges, well beyond linking their computers to a botnet in a mass DDoS attack. Both allegedly infiltrated secure organizations and leaked data in ways that now seem like they almost wanted to get caught.
One man, 21-year-old AT&T customer support contractor named Lance Moore, allegedly used his company-issued VPN login and password to go into the AT&T system and gather data that he then leaked as part of LulzSec's June 25 "50 Days of Lulz" release. The other, 21-year-old University of Central Florida computer student Scott Matthew Arciszewski, allegedly hacked into the FBI contractor Infragard in Tampa and uploaded files from there, which he then tweeted directly to the FBI's own Twitter account. Court documents outline how both suspects used arguably poor judgment when allegedly breaching their respective targets.
Not Too Deep Inside AT&T:
Moore started working for a company called Convergys in its Las Cruces, New Mexico office on Aug. 23, 2010, according to the complaint prepared by FBI Special Agent Jeffrey D. Calandra. In order to do his job as a customer service representative for AT&T Mobile, he was issued a login for the company's virtual private network. According to the complaint, the AT&T security team discovered a large cache of company data -- including "thousands of spreadsheets, Microsoft Word documents, Microsoft PowerPoint presentations, image files, PDF files, applications and other files, largely concerning AT&T's plans related to its 4G data network and LTE (Long Term Evolution) mobile broadband network, among other topics -- posted publicly on the file sharing site Fileape.com on April 16, 2011. The company valued the information at more than $5,000. The complaint goes on to describe how AT&T's own investigators caught, and fired, Moore.
AT&T investigators also found Moore had done a bunch of searches for file sharing and Fileape from his work computer. He was fired on May 19 but the damage was done. When LulzSec published its 50 Days of Lulz release on June 25, which contained the information Moore had allegedly leaked, the FBI started its investigation with the help of the company, which was likely happy to help nail Moore. Moor now faces data theft charges.
'Anonymous' in Name Only:
Arciszewski allegedly used his UCF dorm room's Internet connection to hack into FBI contractor Infragard on June 21, then broadcast the files he uploaded and instructions on how to breach the security. The breach was done in the name of LulzSec's Anti-Security movement, but not as part of an "official" LulzSec release. He allegedly posted the files on the website kobrascorner.com, which was registered under the name Voodookobra. FBI Special Agent Adam R. Malone wrote in his criminal complaint that he searched for Voodookobra on Google and found a Wikipedia entry from 2009 that named Arciszewski as its owner. UCF also helped Malone with his investigation by confirming the IP address that breached Infragard was the same one assigned to Arciszewski's dorm room. Malone found a post Arciszewski had allegedly made to hackforums.net under an account on which he used his own photo as an avatar, and he also found Arciszewski's Facebook page. But the kicker is that after Arciszewski breached and uploaded the files, he tweeted the news to both LulzSec and the FBI itself, the affidavit says:
The account @voodooKobra is still active. This is the most recent tweet, from yesterday:
I have had a very bad day. I am stressed to the max.
In his chatroom comments to The Atlantic Wire yesterday, LulzSec frontman Topiary suggested those who were arrested were "volunteer/supporter DDoS Anons who accidentally (or just foolishly) used LOIC from their home IPs." He said newer or less serious members of the group were frequently lax about security out of recklessness, laziness, or "nessnessness." These accounts seem like examples of all three.