FBI makes easy catch of alleged LulzSec hacker 'Recursion' for Sony data breach

The FBI has arrested a 23-year-old man it accuses of being LulzSec member "Recursion," for his alleged involvement in one of many attacks on Sony in April and May.

Two others were also arrested in Mountain View, Calif. for DDOS attacks on Santa Cruz County servers in late 2010.

The alleged LulzSec'er is Cody Kretsinger, a Phoenix resident living in California, who the FBI accuses of taking part in one of many cracks of Sony sites – in this case using a SQL injection attack to penetrate and download from Sony servers lists of customer names, emails and other information that could be used in identity theft.

The FBI tracked Kretsinger through the user logs at web proxy provider Hidemyass.com, a commercial VPN proxy service he allegedly used to mask his IP address and identity.

He was arraigned yesterday on charges of conspiracy and impairment of a protected computer, which carry a maximum penalty of 15 years.

The other two men arrested are believed to be Christopher Doyon, 47, of Mountain View Calif. and Joshua Covelli, 26, of Fairborn, Ohio, both of whom are named in a separate indictment for the DDOS attack on Santa Cruz county government offices.

Doyon and Covelli are allegedly members of another Anonymous spinoff group called the People's Liberation Front – a subgroup of what some Anonymi call "the hive mind" that is more overtly political and was among the leaders in efforts to create anonymous sites on which hackers could post stolen confidential government data in an effort to give the public a clearer view of what various government agencies are up to.

PLF lists itself as being allied with established and respected hacking groups including the Chaos Computer Club, Cult of the Dead Cow, Pirate Party International and Global Liberation Network as well as Anonymous.

There hasn't been much response from various Anon news sources, which flooded the 'net with tweets ridiculing British and U.S. authorities for arresting the "wrong" people in a sweep that netted 16 in the U.S. and U.K.

Soon after the same sites began posting FreeTopiary banners in support of 19-year-old Jake Davis, alleged to be Topiary – LulzSec's spokes-troll and second in command.

It's not clear what evidence there is against Kretsinger other than VPN logs, which may be damning and may be irrelevant. Even the Supreme Court found recently that an IP address is not the same thing as an identity.

My wild guess is that, if Kretsinger was involved in the Sony hacks – and it was hit so many times that most of those doing the attacking must have been copycats rather than the original attackers.

What makes Kretsinger look more like a fringe member of a group like LulzSec – if he turns out to be guilty, or can be shown to have been involved at all – isn't the VPN logs or target, though.

It's that he used a single, commercial VPN proxy service to try to hide his identity and figured wiping his hard drive would keep forensic investigators from recreating at least some of his data after they confiscated it.

That's the kind of security level even script kids would consider amateurish.

Wiping a hard drive – even using military-grade software that fills, deletes and reformats the drive many times to try to layer junk over good data before wiping both out – isn't certain to get rid of all the evidence unless you go beyond security utilities to include power tools in your repertoire. Actual power tools – drills and saws and shredders, will usually do the trick. Them forensic dudes is tricky, and magnetic data is notoriously difficult to wipe out completely unless it's something no one else cares about but that you need desperately and have no time to try to recreate.

It happens a lot in the U.S. between 11 pm and 12 pm on April 15. Must be the alignment of the planets or something.

Just using a single commercial VPN proxy service – one designed to be inexpensive and to offer a demonstrable level of privacy but not a bulletproof wall of anonymity to use against law enforcement – is even more naïve.

Hidemyass.com's Terms of Service page says clearly it keeps logs of when and for how long members connect and what Internet resources they access.

They keep the logs for 30 days and promise that if the cops come calling (with the right warrants and subpoenas), it will turn over that information.

It is not the mark of a hard core or dedicated hacker to assume that one $12/month proxy service will hold off the FBI is worse than naïve. It's asking for trouble.

There are dozens of free- and paid VPN services designed to offer exactly the same service, the free and open-source TOR being the best known and most venerable.

Most are not much of an obstacle to cops with subpoenas, and they're not designed to be.

They're designed to make it harder for advertisers to track your activities or employers to know whether you're visiting Facebook or ESPN during the workday.

More extreme services are designed for dissidents in authoritarian countries who want to read unbiased news about their own countries without being arrested for it.

Hidemyass is not one of those hard-core services.

Harder-core hackers or others looking for more certain anonymity often use zombie machines on botnets created by malware and other proxies over whose recordkeeping and vulnerability they have more control.

That makes tracking an attack difficult for law enforcement forensic investigators, who might backtrack an attack to a bank of servers at a university or shared PC at a library – neither of which has any record of where the traffic originated or who controlled it.

Hidemyass is only one of several VPN services LulzSec'ers mentioned in IRC chat logs posted by anti-LulzSec hackers like Web Ninjas, who wanted to expose the Lulz as poseurs and punks.

It's possible the awareness of their vulnerability was so shallow among LulzSec'ers in general that Kretsinger's flub wasn't unusual, but I kind of doubt it.

Much more likely he was among the second- or third-tier joiners who either copycatted on their own or jumped on the LulzSec hackwagon because it looked like a good way to build up a wild rep without having to pick targets and figure out all the exploits on your own.

Unfortunately, whatever Kretsinger was up to (the FBI has been wrong in its accusations before), or how much he knew about how to use a certain set of tools and exploits, he didn't know enough about how to hide his tracks to keep the feds from knocking on the door.

When you're trying to hack the highest-profile players you can find, building a reputation by crashing the biggest parties, insulting the most important people and getting away again before they can respond, leaving a trail of footprints back to your place is not the best way to ensure you get a chance to ever crash a second party.

LulzSec'ers said throughout their very public reign of idiocy that they were in it for the lulz, the laughs, the excitement and to provide entertainment to the masses.

The FBI isn't in anything for the laughs. The FBI has no sense of humor as far as the MIB know.

When you make jokes that embarrass the FBI, it tries to find you. And it keeps trying long after you think the joke's over.

This isn't the first LulzSec arrest, and it won't be the last. The FBI and law enforcement agencies in the U.K. have been picking off Lulzers and Anonymi since mid summer and show no signs of stopping. Certainly no single service designed to offer thinly veiled anonymity from advertisers is going to stop them.

LulzSec, I hate to say I told you after you hacked the Senate, but I did.

For people with no sense of humor, the joke is never over until they find the jokers and get to lock them up.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies