The Australian Federal Police announced yesterday evening that they arrested Matt Flannery, a 24-year-old IT professional from Point Claire. The police allege that he attacked and defaced a government Web site earlier in the month. Interestingly enough, the police also say that he’s a “self-proclaimed leader” of LulzSec.

The police say Flannery used his position within an IT company to hack a number of clients. The police also warned that he would have attacked more Web sites had he stayed employed with the company.

Flannery faces two counts of unauthorized modification of data to cause impairment and one count of unauthorized access to, or modification of, restricted data. The police note that the maximum penalty for the former is 10 years and 2 years for the latter.

What’s interesting about all of this is that the police say he’s a “self-proclaimed leader” of LulzSec. Members of Anonymous and others have come out on Twitter to dispute this claim:

This absolute bullshit great work feds u busted a ddos fag >> Self-proclaimed LulzSec hacking leader arrested in NSW abc.net.au/news/2013-04-2…

— Anonymous Australia (@AuAnon) April 23, 2013

#AFP trying to make this like they cracked the big case yet we dont even know what hack it was some big hecker #lulznot

— Anonymous Australia (@AuAnon) April 24, 2013

Self-proclaimed leader of #Lulzsec in Australia is trolling. Police are dumb.

— K for Kallisti (@Kallisti) April 24, 2013

“He is a well-respected person within the Anonymous community”, said Brad Marden, cyber-crime ops co-ordinator, AFP. Anonymous disagrees.

— Asher Wolf (@Asher_Wolf) April 24, 2013

#BREAKING!!! EXCLUSIVE:We have a picture of the leader of @lulzsec #LulzSec taken 5 minutes ago. twitter.com/AnonymousWWN/s…

— Anonymous (@YourAnonNewsKR) April 24, 2013

As an added bonus, Gizmodo AU dug up this video of the alleged LulzSec “leader” singing along to Grease:

[h/t: BBC]

Since then, the members of LulzSec have been rounded up and taken to trial. The latest trial saw Cody Kretsinger, known as “Recursion” in online circles, sentenced to a year in prison. He was convicted on one count of conspiracy and unauthorized impairment of a protected computer. After his year in prison, he will remain under home detention.

You may be thinking that Kretsinger’s sentence is a little light. He was able to get his sentence down to a year thanks to a plea bargain he made last year with federal prosecutors. As part of that plea bargain, he admitted to hacking into a Sony Pictures’ database and sharing the information with other members of LulzSec.

Home detention won’t be the only thing that Kretsigner has to look forward to after his stint in prison either. The U.S. district judge ordered him to complete 1,000 hours of community service. Maybe he can help clean up Sony Pictures’ studios in Los Angeles to help make up the $600,000 in damages that federal prosecutors say he caused the studio.

Kretsinger is one of the last original LulzSec members to be sentenced for their hacking spree in 2011. The hacker collective fell apart last year when its leader, known as Sabu, went rogue and started working with the FBI as an informant. There have been attempts to resurrect the group since then, but nothing has come of it.

[h/t: Reuters]

Benjamin Blouin fully admits to hacking the network, but he says that he only did so to illustrate its flaws.

Anyone trying to access the FSU Wi-Fi on March 1st was redirected from the FSU homepage to a “video of two men having sex.” To denizens of the internet, that redirect led everyone to the infamous shock video known as “Meatspin.”

Meatspin, a meme from the mid-2000s (SFW), features a close-up of two men having sex with the Dead of Alive song “You Spin Me Round” playing in the background. It actually comes from a porno film from 1985.

Apparently, Blouin says that he has been trying to bring the issue of network insecurity to the school’s attention for over a year. I guess he just needed something a little more shocking to get it.

“Anybody’s identity, while they’re logged onto that network, could be at risk,” said our hacktivist.

According to the report, FSU has shut off public access to the Wi-Fi network to “implement system upgrades.” Apparently, they will not require everyone to login to use the Wi-Fi.

All I can say is that this is the most successful use of meatspin that I’ve ever seen. And boy, are they some pretty great comedic opportunities associated with meatspin (risky click of the day award goes to…).

[News Herald via BetaBeat]

In its latest attempt to get the government’s attention, Anonymous announced that it hacked the State Department . To top if off, the hacker collective also released a database it found while going through the Web site. The database contains the personal information of State Department employees in the U.S. and overseas. The information in the dump includes names, birth dates, phone numbers, email addresses, home addresses, etc.

According to Anonymous, this latest hack is not only a continuation of #OpLastResort, but a response to the U.S. arresting and imprisoning members of Anonymous. Here’s the full statement:

Our reasons for this attack are very simple. You’ve imprisoned or either censored our people. We will not tolerate things as such. You don’t see us going around censoring everything that is inappropriate or we do not like. Basically, you tried to put an end to us and you got owned, there’s nothing more you can say or do. You took away Topiary, Avunit, Neuron, Pwnsauce, lolspoon, Aaron Swartz shall we go on? Heck you think this makes us weak? We are only growing stronger because of the fact that you are forcing us to revolt. When the lions roar you will hear them. And when it’s feeding time you’ll be our dinner.

Aaron Swartz this is for you, this is for Operation Last Resort.

We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
Expect us.
#OpLastResort

The State Department wasn’t the only target of this latest hack. Anonymous also targeted private investment firm George K. Baum and Company. The site was defaced with a link to a pastebin that featured private account information of all the firm’s customers. According to the OpLastResort Twitter feed, this particular hack was made because of the firm’s ties to Stratfor, the private intelligence company that Anonymous hacked into last year.

Once again, it looks like #OpLastResort won’t be slowing down anytime soon. Anonymous will continue looking for exploits in government Web sites, and publicly hack them for all to see. At this point, it’s not so much about getting any kind of information, but rather just embarrassing the government.

It will be interesting to see how Obama’s new cybersecurity executive order will affect how the government reacts to attacks from Anonymous. The new rules for information sharing between public and private institutions may just help stop some of these attacks before they happen, but it isn’t likely.

[h/t: Net-Security]

As usual, the defaced Web site featured a message from Anonymous. In it, the hacktivist collective calls for a number of reforms in Internet law. Here’s the list courtesy of CNET:

We call for this tragedy to be a basis for reform of computer crime laws, and the overzealous prosecutors who use them.

We call for this tragedy to be a basis for reform of copyright and intellectual property law, returning it to the proper principles of common good to the many, rather than private gain to the few.

We call for this tragedy to be a basis for greater recognition of the oppression and injustices heaped daily by certain persons and institutions of authority upon anyone who dares to stand up and be counted for their beliefs, and for greater solidarity and mutual aid in response.

We call for this tragedy to be a basis for a renewed and unwavering commitment to a free and unfettered internet, spared from censorship with equality of access and franchise for all.

Beyond Anonymous hacking MIT, another group has stood up in support of Swartz’ mission to make information free for all. A number of academics have been publishing studies online with the hashtag #PDFtribute. Most of these studies are copyright protected, but Swartz would likely have it no other way. He believed in freedom of information, especially when it came to academic studies. It’s hard to say if the publishers will prosecute authors uploading their own studies, but it would look really bad on those who do in the wake of Swartz’ death.

Swartz was a well known and beloved member of the online activist community. It’s unlikely that Anonymous is going to stop with a simple hack or defacement. The group is going to continue to push for reform with this particular tragedy only serving to bolster their cause.

[Image: okfn/flickr]

First, back in late August the Java browser plug-in was found to be vulnerable to an exploit that could make all PCs using browsers with the Java plug-in installed open to malware by visiting a malicious website. Thankfully, Oracle didn’t wait for its October patch to fix the issue, and released a patch just a few days later.

Only that wasn’t the end of it. A security company announced the day after the patch that another vulnerability in the Java software had been found. Meanwhile, the news came that Oracle knew about the exploits but did not fix them until news of them forced their hand.

Today, security company Security Explorations has once again called out Oracle for an exploit found in Java. The new exploit affects all the latest versions of Java SE software, including Java SE 5, 6, and 7. The company’s CEO, Adam Gowdiak stated that their tests were able to bypass Java’s security sandbox. The tests used a fully updated version of 32-bit Windows 7 and modern browsers. Anyone using Firefox, Chrome, Internet Explorer, Opera, or Safari is vulnerable.

Gowdiak said in an email that the company has notified Oracle of the exploit. He also told ComputerWorld in an interview that, thankfully, there is not yet any evidence of attacks that use the newly revealed exploit.

(via BGR)

Ryan Petrich, a self-proclaimed iOS hacker/engineer, has managed to get the old Google Maps from iOS 5.1 running on an iPhone that has been updated to iOS 6. You can see the hack in the video below, but you can’t get hold of it just yet. Petrich says the software is still too “crashy” to release it to the public, but that it mostly works. When the development is complete, users who have jailbroken their devices can expect the return of Google Maps to the iPhone.

So, at least there is one person working on fixing the terrible Maps situation. Actually, there are quite a few people working on the problem, but Petrich’s solution is the only one yet seen. Apple is going on a hiring spree for software engineers to improve the maps app, though they will have to hire thousands of employees to match Google’s map software quality. The 7,100-strong Google Maps team is currently rushing to create a stand-alone version of Google Maps for the iPhone before Christmas.

(via BGR)

As previously reported, the AntiSec branch of Anonymous took to Pastebin to detail how it leaked a million Apple Device IDs (unique device identifier numbers – UDIDs) and other personal information by breaching an FBI notebook. They allegedly gained access to 12 million device IDs, but only published a million of them.

In the long document, the group wrote:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

so…penis.

The group also used the document to express support to Wikileaks and Julian Assange, and for the Russian punk band Pussy Riot.

More on that story here.

The whole thing may have some Apple users a little rattled, particularly given that Apple IDs were at the center of one of last month’s big security stories.

About a month ago, Wired writer Mat Honan wrote a lengthy piece about an “epic hacking,” he experienced. At the root of the problem were some security issues related to Apple IDs and Amazon accounts.

“Apple tech support gave the hackers access to my iCloud account,” Honan wrote at the time. “Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”

You remember that story right? It was all over the tech news. In a later piece about his digital recovery, Honan wrote, “It’s shameful that Apple has asked its users to put so much trust in its cloud services, and not put better security mechanisms in place to protect them. AppleIDs are too easily reset, which effectively makes iCloud a data security nightmare. I’ve had person after person after person report similar instances to me, some providing documentation showing how easily their Apple accounts were compromised.”

“And due to Apple’s opacity, I have no way of knowing if things have improved,” he added.”Apple has refused to tell me in what ways its policies weren’t followed ‘completely’ in my case. Despite being an Apple user for nearly 20 years and having generally positive feelings toward the company, I no longer trust it to do the right thing in terms of protecting my data. I’ve turned off its Find My services and won’t turn them back on.”

Apple has a big event planned for the launch of the next iPhone for September 12. While that is very much anticipated by Apple users and future Apple users, perhaps another event centered around security is in order to set minds at ease.

Update: Apple and the FBI are both denying that the FBI had these IDs to begin with.

PC World is reporting that a security firm, Security Explorations, warned Oracle about the current exploits in Java back in April. The firm published a press release on April 2 that said they found 19 weaknesses in the Java platform. On that same day, they sent a notice to Oracle containing all 19 of the vulnerabilities. Among those 19 were the two that are being used now in hacking attacks.

After receiving the notice, Oracle only patched three of the 19 reported vulnerabilities in the June update. The company sent Security Explorations a notice in August saying that they were going to fix the two currently exploited weaknesses alongside 17 other flaws in the October patch.

Of course, this brings up the question of how hackers got a hold of these weaknesses. Security Explorations says that the recent attacks exploit the flaw in a different way from their report. They don’t suspect anybody of leaking critical security information, but they aren’t ruling it out either. Somebody on the black market would probably pay a pretty penny for such exploits, but there’s nothing to suggest such a scenario.

As for now, we can only wait on Oracle for a fix. They will definitely patch the problems in October, if not sooner. It would look bad on Oracle if they waited to fix such a critical security hole though. For now, your best off just disabling the Java plugins in your browser.

The plaintiff in the e-filed court document is Katie Szpyrka, a senior associate at a Chicago real estate firm. She has been a LinkedIn member since 2010, and also paid for an upgraded premium account. She claims that LinkedIn failed to adequately protect users with “basic industry standard encryption methods.” By this, the plaintiff means LinkedIn should have been salting its password hashes. These claims are made in light of LinkedIn’s privacy policy, which states that “All information that you provide will be protected with industry standard protocols and technology.”

While salting and re-hashing passwords certainly is a good security practice, it will be interesting to see if the plaintiff’s lawyers can manage to demonstrate that it is an industry standard. The fact that both eHarmony and Last.fm were also included in the password leak would seem to be evidence that salting passwords before hashing is not “standard,” even if it should be.

One interesting claim made in the lawsuit is that the password hash was originally stolen from LinkedIn by a hacker using an SQL injection attack. LinkedIn has never officially stated how the passwords were originally leaked. If LinkedIn did leave itself open to SQL injection, it might be a factor more likely way to prove that LinkedIn did not live up to its policy standards, and therefore was in breach of contract. Still, LinkedIn maintains that no unauthorized access resulted from the leak, meaning that an award for damages seems unlikely. The lawsuit, though, also asks for an injunction against LinkedIn, forcing it to better protect its members’ private data.

The court document can be read as a PDF on the Courthouse News website. The entire debacle started on June 6, when it was discovered that over 6.4 million LinkedIn passwords were leaked to a hash cracking website. LinkedIn responded that same day by deactivating member accounts associated with the leaked passwords and emailing members with information on how to reset their passwords. In the following week it was revealed that some of the leaked passwords also belonged to Last.fm and eHarmony.

(via Courthouse News)