It hasn’t been the best of months for Anonymous, the loose hacktivist collective that likes to view itself as the most potent threat on the Web to big government, big business, and those who do not share its views on pretty much anything — law enforcement, the environment, internet freedom, copyright laws, politics etc. Several of its recent claims have been exposed as not just inflated, but outright fabrications.
FBI hack refuted
Earlier this month, AntiSec, an offshoot of Anonymous, posted more than 1 million Apple Unique Device Identifiers (UDID) to Pastebin, and claimed it had stolen more than 12 million of them from an FBI agent’s laptop in March.
The group claimed to have personal mailing addresses and phone numbers besides the UDIDs, plus device tokens for the Apple Push Notification Service (APNS) for numerous types of Apple devices such as iPhones, iPads and iPod Touches.
The FBI immediately denied that any of its computers had been compromised. Apple said it had never provided UDIDs to the FBI. And, as Michael Mimoso noted on the Kaspersky Labs blog Threatpost, David Schuetz, a senior consultant with Intrepidus Group, found that the real source of the breach was BlueToad, a Florida based technology provider for digital publishers.
“[Schuetz] found a password dump online for BlueToad dated March 14, the same week AntiSec said it had breached the FBI computer. Any hesitancy Schuetz had regarding BlueToad’s connection to the breach was evaporating,” Mimoso wrote.
Earlier this week, BlueToad CEO Paul DeHart publicly confirmed via the company’s blog that it was the source of the breach, that it had contacted law enforcement and was cooperating in the investigation.
GoDaddy’s outage claimed
There was also the recent boast by Twitter user @AnonymousOwn3r that he had shut down the website provider and domain name registrar GoDaddy on Sunday with a distributed denial-of-service (DDoS) attack.
Wrong again, said GoDaddy interim CEO Scott Wagner, who explained on the company website that the problem was a “service outage due to a series of internal network events that corrupted router data tables.”
[Slide show: Anonymous and LulzSec – 10 greatest hits]
Then there was the claim last month that Anonymous was looking to break into the communication system between NASA and the Mars rover Curiosity.
That didn’t even pass the laugh test for most security professionals, who viewed it as a bad joke or a weak attempt at trolling.
Last March, LulzSec, which operated under the Anonymous umbrella, after the FBI arrested and then flipped its leader, Hector Xavier Monsegur, who went by the hacker name of “Sabu.”
Does all this mean that the Anonymous brand has been undermined? Do its boasts and threats have any credibility in the security community?
Yes and no, say those who track its exploits. Most agree with Cole Stryker, an author who has researched Anonymous and who The New York Times quoted describing it as “a handful of geniuses surrounded by a legion of idiots.”
Those idiots, say experts, are going to make a host of errors and laughable claims. But that does not mean there is no danger from the core group.
“What we have here is a bunch of kids, largely in UK and here and dozens of other places such as Brazil, Turkey, Iran, China, Ukraine, Romania and lesser numbers in other places across the planet — a bunch of really bored kids who want to be a part of something, but have no clue,” said Kevin McAleavey, cofounder of the KNOS Project and a malware and hacking expert.
“How seriously do I take Anonymous’s claims? About as seriously as I take ‘The Daily Show,'” he said. “Yes, there are a handful of really dangerous people who those kids admire and who occasionally feed them a breath mint. One or two of them have already been apprehended. The rest have gone back to collecting exploits and writing malware, and selling them to criminals and government spooks for real cash. They won’t touch Anonymous any more because the heat is too high.”
Nick Selby, a Texas police officer and information security consultant who runs a police-led intelligence blog, noted at the time of the LulzSec bust that there is essentially no barrier to claim membership in Anonymous. “It doesn’t require massive technical skills — just reasonable knowledge and a willingness to break the law,” he said.
But Aaron Cohen, founder of the Hacker Academy, said he thinks it would be foolish to discount the group’s skill and power. He said he has a hard time talking about Anonymous, “because we don’t know who they are. People are out there doing things under the name of Anonymous, but you don’t really know if that’s true.”
Cohen said the whole idea of an Anonymous brand misses the point. “They’re not looking for branding,” he said. “They’re doing it under a pseudo name. There is no call to arms to get somebody. But if one person says they’re going to get a company, then everybody tends to rally around that person.”
But Cohen adds that he thinks Anonymous has been “pretty reliable so far,” in both its claims and its threats. And he said whether it is Anonymous or some other group, good hackers are proof that “if people want to break into something badly enough, they can.”
“So if you’re a target, it’s best to tighten up,” he said.