Proxy logs helped FBI track and arrest LulzSec memberby Steve Ragan - Sep 23 2011, 03:37
The logs maintained by HideMyAss.com, in addition to other evidence, has led to the arrest of another LulzSec member in Arizona, The Tech Herald has learned. Cody Kretsinger, 23, allegedly used the anonymity service during his role in the attack on Sony Pictures.
In late May, during the height of their escapades, LulzSec said it was the beginning of the end for Sony. A week later, they released 140,000 records. The breach was possible thanks to a single SQL Injection flaw within a promotional page for the movie Ghostbusters. The SQLi flaw led them to more than one million clear text passwords, 3.5 million “music coupon” codes, and 75,000 “music codes”.
At the time, database dump with 12,500 records, containing names, home addresses, phone numbers, email addresses, usernames and passwords, was viewed as the most damaging part of the release. In a statement, Sony Pictures confirmed the breach, and said they were working with the FBI during the investigation. [More]
According to a recently unsealed indictment filed in Los Angeles, and a press release from the FBI, one of the participants in the LulzSec attack was arrested without incident at his home in Phoenix, Arizona on Thursday.
The indictment states Cody Kretsinger used a VPN from HideMyAss.com to scout Sony Pictures’ website for SQL Injection vulnerabilities. Based on statements made by the group at the time, Kretsinger’s efforts were successful. In an attempt to cover his tracks, he formatted his hard drive.
Sources at the U.S. Department of Justice told The Tech Herald this afternoon that depending on the methods used to erase the drive, it was entirely possible that data would be recovered. Computer Forensics has come a long way in the last decade. Aside from outright destroying a disk, it’s hard to wipe a hard drive in a short amount of time. In addition, the source suggested that server logs presented by Sony and the anonymity service helped with the investigation.
Logs, seized equipment, and testimony from those arrested, seems to be the undoing for those connected to Anonymous and LulzSec. However, the source refused to comment on the scope and general flow of the FBI’s investigation into Anonymous and LulzSec, so it is unknown how investigators are connecting the dots.
According to HideMyAss.com, “…services such as ours do not exist to hide people from illegal activity. We will cooperate with law enforcement agencies if it has become evident that your account has been used for illegal activities.”
The service stores logs for 30-days when it comes to Website proxy services, and they store the connecting IP address, as well as time stamps for those using the VPN offerings. Emails seeking comment on HideMyAss.com’s level of cooperation with the FBI, as well as to confirm what information was made available, were not returned.
Kretsinger made an initial appearance before a federal magistrate in U.S. District Court in Phoenix on Thursday. If convicted, he faces a maximum sentence of 15 years in prison.
In related news, a homeless man was arrested in San Francisco on Thursday as well, for his connection to Anonymous and an attack against the Santa Cruz County government. Moreover, the FBI conducted raids in Minnesota, Montana, and New Jersey, as part of their investigation into the actions of Anonymous and LulzSec.