Pro-American Hacker's Attack Threatens to Expose Anonymous
12 March 2012 | 04:56 PM ET | Paul Wagenseil, SecurityNewsDaily Managing
Editor
http://www.securitynewsdaily.com/1613-jester-qr-code-twitter-anonymous.html
As if things couldn't get any worse for the hacktivists of Anonymous, the
self-described patriotic hacker who calls himself The Jester has struck
another blow.
He claims to have broken into many smartphones belonging to Anonymous
leaders and copied incriminating text messages, emails, address books and
other data - data that he may have already passed on to the authorities.
The Jester's intricate, multilayered attack, which took place over five days
last week, sounds almost too good to be true, and some online commenters
have derided it as a hoax.
But security experts say it's definitely doable, and demonstrates just how
valuable the data housed on iPhones and Android phones can be to hackers and
identity thieves.
"My unofficial and initial thought is that it seems entirely plausible,"
Jonathan Zdziarski, a forensic researcher with Oak Park, Ill.-based Via
Forensics and author of "Hacking and Securing iOS Applications" (O'Reilly
Media, January 2012), told SecurityNewsDaily. "And since most of his targets
are probably jailbroken, I can imagine they'd be lagging behind a couple iOS
versions."
"The short answer: possible: yes, likely: yes," said Georgia Weidman, an
Android security researcher with Bulb Security LLC, in an email exchange.
"Impressive: maybe, maybe not."
"I'm inclined to believe he's done what he says he's done," Barrett Brown, a
journalist and unofficial Anonymous spokesman whose own phone was one of the
targets of The Jester's hack, told SecurityNewsDaily. "This is someone who
has spent a great deal of time engaging in 'opposition research' on
Anonymous and associated individuals, and he has a wide network of very
talented contacts, so one would imagine that he'd eventually pull off
something effective."
Many steps, a single goal
For more than a year, The Jester (@th3j35t3r on Twitter) has been a thorn in
Anonymous's side, taunting the movement's organizers even as he attacked
some of the same targets. But his main targets have been English-language
websites that recruit followers for al-Qaida and other militant Islamic
movements, and he has claimed to have developed tools that let him knock
such sites offline single-handedly.
On Friday evening (March 9), The Jester used his blog to detail an
complicated hack against devices running Android as well as Apple's iOS,
which is found on iPhones and iPads.
"At the beginning of this week, just hours before the news of Hector
Monsegur's arrest broke, many of you will have noticed that my Twitter
profile pic changed from the usual 'Jester Mask' to a QR code," The Jester
wrote on his blog Friday. (Monsegur was revealed last Tuesday as "Sabu," a
leader of the Anonymous spinoff group LulzSec who'd been working with the
FBI for the past several months.)
QR codes, as regular SecurityNewsDaily readers know, are a security
nightmare. The two-dimensional barcodes, which pop up in ads and on product
packaging, are meant to whisk your iPhone or other smartphone to a
promotional website. However, they could just as easily take you to a
website loaded with malware aimed at your smartphone.
That's exactly what The Jester says he did.
"Anyone who scanned the QR code using their mobile device was taken to a
jolly little greeting via their device's default browser hosted on some free
webspace," he wrote on his blog. "The greeting featured my original profile
pic and the word 'BOO!' directly below it."
But embedded in that page was hidden code that exploited a known
vulnerability for Apple's Safari and Google's Android and Chrome Web
browsers. (That known vulnerability has supposedly been patched in the
latest versions of iOS and Android, but as both Weidman and Zdziarski
pointed out, many smartphone users either don't or can't update their own
phones.)
The hidden website code connected to another server, which was running a
network diagnostic tool called Netcat.
"When anyone scanned the original QR code using an iPhone or Android device,
their device would silently make a TCP shell connection back to my remote
server," The Jester wrote. "Like a phone call, if you like."
Next, The Jester said, Netcat checked if Twitter software was installed on
the target phone. If so, the script would check for a linked Twitter
account, then send that account's user name back to The Jester's server.
"As for using QR codes to launch browser-based exploits, Jester's
explanation is correct," Weidman said. "Mobile Safari has to run unsigned
code since Web pages, PDFs, etc., are not all signed by Apple, and if you
couldn't look at webpage on your iPhone, everyone would buy Androids."
Crossing the line?
So far, there's nothing explicitly illegal or even, arguably, unethical
here. The Jester's software has only been listening to see how much
information a social-networking app will give up. Many "proof-of-concept"
hacks developed by security researchers are similar.
The next step is where it gets malicious. The Jester said his script
cross-checked each harvested Twitter user name against a "hit list" of
Twitter accounts associated with Anonymous news sites and chat rooms,
Islamist recruiting sites and WikiLeaks.
"His payload checking Twitter names for the victims he wanted and then only
targeting them is something I find pretty clever," Weidman said. "As for the
privilege escalation and dumping info off the phones, this is pretty
standard in a jailbreak/root or malicious attack. This is common in mobile
malware."
Like The Jester himself, many hacktivists associated with Anonymous, LulzSec
and similar groups communicate mainly via Twitter. (The Justice Department
has begun to subpoena Twitter for the real names behind many accounts.)
Two known individuals were also on The Jester's hit list: Barrett Brown and
Rhode Island state Rep. Dan Gordon, whose apparent chumminess with Anonymous
had raised The Jester's ire.
("I had no idea it was something one could scan, much less with their
phone," Brown said of the QR code. "The FBI took my phone last week anyway,
so it wouldn't have mattered if I had.")
"If the prerequisite conditions outlined above were met and the device's
Twitter client WAS associated with an account on the '[hit] list,'' things
got very interesting," The Jester wrote on his blog. "Another script fired
elevating permissions and raping the SMS logs, call logs and phonebooks and
(as long as the user was using the default out of the box email client)
emails stored within."
In other words, if the Twitter user name matched one on The Jester's enemies
list, then a second piece of programming tried to take over the targeted
phone. If it succeeded, it would access archived SMS text messages,
incoming- and outgoing-number logs, archived emails and address
books/contact lists, then send all that data back to The Jester's server.
"Creepy?" The Jester asked rhetorically on his blog. "Only if you are
naughty."
Good guys vs. bad guys
The Jester wrote on his blog that this "sting" went on for five days, until
another Twitter user noticed the embedded code and asked him about it. But,
he wrote, that was long enough to gather a lot of data.
"Over 1,200 curious netizens scanned the QR code," he wrote. "Of those, over
500 devices reverse-shelled back to the listening server. Of those, a
significant number were on the '[hit]-list' and as such treated as valid
targets."
As for the justification for all this, The Jester was very clear.
"EVERYONE else without exception was left totally 'untouched' so to speak,"
he wrote. "This was a proof-of-concept QR-code-based operation against known
bad guys, the same bad guys that leak YOUR information, steal YOUR
[credit-card numbers] and engage in terror plots around the world. I do not
feel sorry for them."
Today (March 12), The Jester posted an encrypted 143-megabyte file
containing all the data he'd extracted to MediaFire, a file-sharing site.
"It's encrypted with my PGP public key," he wrote, referring to a common
encryption standard. "Have fun with that."
In a private communication, SecurityNewsDaily asked The Jester why he'd
encrypted the information rather than post it in regular, plain text.
"I encrypt my [data] dumps as a matter of course because I am not the same
as my detractors who drop personal info all the time," he replied. "The
right people have the plain text dump. It would be highly irresponsible of
me to be dropping anything in the open."
But The Jester wouldn't let on to what he hoped to accomplish by doing this.
"Many folks are trying to analyze and prod at my methods," he told
SecurityNewsDaily. "The truth is they don't know me, can't find me and
speculate as to how I do my thing.
"Everything anyone says (good or bad) is based on assumptions and
conjecture," he added. "That's the way I like it. Nobody has any firm ground
to stand on."
Without knowing what's in the data dump, it's hard to assess how much damage
the information could do to Anonymous, or to the various al-Qaida-affiliated
websites also targeted.
"[It] would depend on who exactly was compromised," Brown said.
Asked whether The Jester's tactics were justified, Brown was equivocal.
"It's certainly justified within the context of this particular engagement,
one in which things get hacked, people get monitored, documents get stolen
and apartments get raided," he said. "I'm certainly a legitimate target for
such things."
Is the FBI listening?
However, as SecurityNewsDaily pointed out to both men, The Jester with this
action has moved beyond attacking Jihadi sites and trying to establish the
identities of Lulzsec members to targeting known U.S. citizens with malware.
Was he worried that doing so might put him in the cross hairs of law
enforcement?
"As far as LEA's [law enforcement authorities] taking an interest in me, we
will have to wait and see," he told SecurityNewsDaily.
Brown doesn't think The Jester needs to worry, as long as he sticks to
attacking perceived enemies of the state.
"I'm not convinced he's upset U.S. law enforcement at all," Brown said.
"You're allowed to break all sorts of laws if you do so in the interests of
national security.
"Like me, that particular congressman [Rep. Dan Gordon, actually a state
representative] is no friend of the national security state," Brown added.
"As such, we're legitimate targets. Remember that this is a country in which
the Justice Department set the Team Themis/Wikileaks affair in motion. If it
weren't such a country, Anonymous wouldn't be necessary."
The Jester doesn't sound too worried that a SWAT team's going to bust down
his door any time soon.
Reminded that Twitter was receiving subpoenas for information on users, he
replied, "There is no identifying information held in my profile, and I
never connect even close to directly. It's a rule of mine."
==========================================
(F)AIR USE NOTICE: All original content and/or articles and graphics in this
message are copyrighted, unless specifically noted otherwise. All rights to
these copyrighted items are reserved. Articles and graphics have been placed
within for educational and discussion purposes only, in compliance with
"Fair Use" criteria established in Section 107 of the Copyright Act of 1976.
The principle of "Fair Use" was established as law by Section 107 of The
Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain
permission or pay royalties for the use of previously copyrighted materials
if the purposes of display include "criticism, comment, news reporting,
teaching, scholarship, and research." Section 107 establishes four criteria
for determining whether the use of a work in any particular case qualifies
as a "fair use". A work used does not necessarily have to satisfy all four
criteria to qualify as an instance of "fair use". Rather, "fair use" is
determined by the overall extent to which the cited work does or does not
substantially satisfy the criteria in their totality. If you wish to use
copyrighted material for purposes of your own that go beyond 'fair use,' you
must obtain permission from the copyright owner. For more information go to:
http://www.law.cornell.edu/uscode/17/107.shtml
THIS DOCUMENT MAY CONTAIN COPYRIGHTED MATERIAL. COPYING AND DISSEMINATION IS
PROHIBITED WITHOUT PERMISSION OF THE COPYRIGHT OWNERS.
--
Thanks for being part of "PoliticalForum" at Google Groups.
For options & help see http://groups.google.com/group/PoliticalForum
* Visit our other community at http://www.PoliticalForum.com/
* It's active and moderated. Register and vote in our polls.
* Read the latest breaking news, and more.