[BreachExchange] So You Wanted To Be A Black Hat? You Might Just Get Blacklisted!

[Audrey McNeil]

https://www.riskbasedsecurity.com/2016/08/so-you-wanted-to-be-a-black-hat-you-might-just-get-blacklisted/

In early July, it was revealed that a Thomson Reuters service known as
World-Check had licensed information to a client that subsequently failed
to secure the database. The leak, discovered by Chris Vickery, affected
over 2.2 million persons identified as “heightened-risk individuals” that
had been included in the World-Check database between 3/17/2000 and
9/17/2014.

Shortly after the discovery, Risk Based Security performed an analysis of
the data and published our findings. The original analysis included a
review of the type of data discovered, along with some statistics for the
various data field options.  While this provided good insight into the type
of persons and organizations tracked by the service, our researchers felt
that there was more to the story specifically as it relates to our work on
the Arrest Tracker project. A follow-on analysis was done, looking more
closely at entries relating to hackers, hacktivism and information security
in general. After searching for notable names in the dataset, we discovered
that convicted hackers, known hacker groups and collectives had been
entered into the World-Check database. The results were interesting, with
some anticipated findings as well as some surprises.

Considering that World-Check could be considered a blacklist of sorts and
is used to comply with Know Your Customer regulations, the additional
analysis provides even more insight into how these systems work.

“Hacker” Collectives

Our first observation was that hacker collectives that had built a name
themselves by defacing websites and posting their successes on social media
mediums like Facebook have been classified as an ORGANISATION. Individuals
that have been convicted for hacking activities are classified as
INDIVIDUAL, CRIME – OTHER or CRIME – FINANCIAL.  It is interesting to see a
distinction is being made here based on the outcome of the activity rather
than the nature of activity itself. Apparently if the individual stole
money, credit card data or committed another financial-based offense, the
“FINANCIAL” category would apply but someone else using similar means or
methods absent the financial dimension would fall under the “CRIME-OTHER”
category.

These hacker collectives often have considerably different skillsets, with
some being very advanced and others being low level groups with limited
skills, utilizing pre-made scripts and YouTube tutorials to enable their
activities. Some groups often claim to be hacking purely for fun or as part
of a learning effort. To think these groups and their members could be
added to a database alongside murders, terrorist, convicted criminals is a
bit of a worry to say the least.

This past week at DEF CON 24, our CISO, Jake Kouns presented “Cyber” Who
Done It?! Attribution Analysis Through Arrest History.  The talk
highlighted what many suggest are real issues (others considered them as
perceived) with Cyber Attribution as well as the importance.  In addition,
the session introduced the Arrest Tracker Project started in 2013 by Lee
J.  The project aims to track computer intrusion incidents resulting in an
arrest, detaining of a person or persons, seizure of goods, or other
related activities that are directly linked to computer crimes.

Some of the more notable Collectives found in World-Check from the recent
years include:

- CabinCr3w
- AntiSec
- LulzSec
- RedHack
- Poisanon
- Team Poison
- UGNazi
- RexMundi
- Team Digi7al

In total, our researchers found over 130 collectives within the World-Check
dataset.

Notable Names

Diving into the well known names, it was clear that hacktivist groups such
as LulzSec, UGNazi,  and Anonymous would be included in the ORGANISATION
category. Less clear was how the database would represent the members of
these groups that had been identified and convicted of a crime. For each
convicted member from a known collective, the database includes full names,
ages, dates of births, court information and outcomes. Hacktivists such as
Barrett Brown and ex-TeamPosion hacker Junaid Hussain, also known as TriCk
and Abu Hussain al-Britani – who has been classified under TERRORISM as
well – are included in the database.

In total, research identified approximately 36 individuals within the
dataset with the TERRORISM classification and corresponding links to cyber
crime. Stepping back from the TERRORISM label, our researchers identified
931 entries out of a total of 2,248,125 entries in the database that were
directly related to cybercrime.

Junaid Hussain

The appearance of Junaid Hussain in the database helps to confirm this
leaked copy is indeed an older version the World-Check dataset. Junaid
Hussain was killed by a U.S. drone strike, reportedly taking place in Raqqa
on August 24th, 2015. Hussain was a core member of TeaMp0isoN, a group well
known for their activities taking place from 2010 to 2012. Originally from
Birmingham, U.K., Hussain was arrested in 2012 for the hacking of an email
account belonging to a staff member working for Prime Minister Tony Blair.
Hussain later fled the country in July 2013 while on police bail on a
different issue. Hussain became linked to ISIS, which ultimately lead to
his death last year and making him the first hacker known to die in drone
strike.

The PayPal 14

Surprisingly, individuals that were a part of the PayPal 14 are also in the
database. Despite 13 of the members pleading guilty to participation in a
denial of service attack against PayPal, many viewed their 4-day attempt to
disrupt the service as a somewhat benign act of protest against PayPals’
blocking of certain payments. Forbackground, PayPal attracted the ire of
hacktivist by blocking payments to an account set up to accept donations
for Wikileaks. In retaliation the group banded together and carried out a
DDoS attack that resulted is some service disruption. As a result of the
attack,14 members were detained, charged and put on trial for violation of
theComputer Fraud and Abuse Act. Objectively, yes, these individuals
committed crimes, but do these crimes amount to something more than
misdemeanor disobedience?  Apparently so under the guidelines for inclusion
in the World-Check database.

Kevin Mitnick

Everyone knows this name, but some may wonder what’s he doing on the list?
These days, Kevin Mitnick is better known for his frequent public
appearances, various publications and security consulting business. His
exploits have been well documented, despite taking place more than 20 years
ago. He has since served his time and actively works to help others improve
their security. Mitnick’s multiple appearances in the database could be
taken as evidence that regardless of when the activity occurred or
subsequent actions, once convicted the mark is not removed.

Adrian Lamo

Continuing on the theme of high-profile individuals that later helped the
authorities, Adrian Lamo also appears on the list. The enigmatic Lamo is
known for his intrusions into WorldCom, The New York Times, Microsoft, and
Yahoo! He was also instrumental in identifying Chelsea Manning as the
source of thousands of leaked diplomatic cables and footage from the Iraq
war that appeared on WikiLeaks in 2010. The long list of charges against
Manning resulted in a 35 year prison sentence while Lamo’s outing of
Manning to the authorities generated resentment among the hacking community.

World-Check Sources

Where does World-Check gather all of this “hacker” information? What sites
and sources are referenced to support the entries? As noted in our previous
post, the World-Check webpage states that: Information is collated from an
extensive network of hundreds of thousands of reputable sources, including:

- 530+ sanction, watch, regulatory and law enforcement lists
- Local and international government records
- Country specific data sources
- International adverse electronic and physical media searches
- English and foreign language data sources
- Relevant industry sources

A more detailed look at the sources appearing in relation to hackers and
hacking collectives revealed these sources have also been cited as
references:

1. usdoj.gov
2. justice.gov
3. cyberwarnews.info
4. hackread.com
5. enequirer.com
6. chicagotribune.com
7. thehackernews.net
8. Databreaches.net

What Does All This Mean?

The World-Check database is good reminder to all of us that data, once
indexed and cataloged, rarely disappears for good. Regardless of the motive
behind the action, the severity of the charges or subsequent good deeds,
once convicted of a crime that conviction can follow you for a lifetime.

To sum it up, if you want to be a black hat, prepare to be blacklisted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160810/1e9fe45e/attachment.html>