Book Review: “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012)” by Parmy Olson

Executive Summary: 

This book is a must read for all cyber security professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. If you seek to understand the Hacktivist movement, this book is a primer.

Review: 

The Anonymous Franchise really hit its stride between the years of 2010 and 2011. Hacktivism began earlier than that of course (1994 was the first documented case that I could find [12]), but it did not strike fear into the hearts of CEOs, CSOs and government officials until that two year run. It was the perfect storm of technology, disenfranchised youngish people, “Internet Pranks as an Art Form,” empowerment and the hacking culture that came together into a gigantic hairball of activity and energy that caused governments from around the world to double-clutch on some of their more severe policies and caused business leaders to actually fear the impact to their bottom line. Trying to understand that phenomena is quite the task and Parmy Olson, in her 2012 book, “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency,” is an apt guide. Through unprecedented access to some of the core players on many of the more infamous operations, Olson is able to capture the essence of how the hacktivist movement got started in earnest, to describe the inevitable drama between competing factions and to provide insight into how this franchise operates.

I call it a franchise because “Anonymous” is not a club. You do not pay dues. You do not register your name, email account and twitter handle with anybody in power. There is no singular power. The Anonymous Franchise is more of an idea than an organization. Hacktivists use that idea to get attention in the media and to get a reaction from the target they are pursuing.

For example, if I wanted to protest the US Senate’s inability to pass gun-control legislation this year (2013)[22], I might write a scathing blog pointing out the dwarf-like physical characteristics of some of the key senators involved (if I was a law-abiding white-hat citizen). On the other hand, I might choose to go the other way and organize a Distributed Denial of Service (DDOS) attack against a few key senator’s web pages or compromise the same senator’s email accounts and publish their messages on a public site somewhere (if I was willing to live on the lawless side wearing a black hat). The point is that if I did those things, nobody would care. Nobody on the planet knows who I am and all of those activities (white hat and black hat) would just register as part of the noise. But, if I wrap myself around the trappings of the Anonymous Franchise – the imagery, the youtube videos with Matrix-like voiceovers and the Twitter public relations campaigns – I amplify the importance of my cause to the general public and clueless media outlets. The Anonymous Franchise has heft. By claiming to be a leader in the group, regardless if I am or not, I get instant recognition and have all the assumed powers that the public thinks the group has. Genius!

Key Terms:

Ms. Olson walks the reader through the history of how this franchise was built and does a really good job explaining the culture. Below are just some of the concepts that are important to understanding the Anonymous phenomenon.

• 4Chan: “A simple image-based bulletin board where anyone can post comments and share images anonymously [9].” 
• /b: One of the most popular boards on 4Chan with the most outrageous content; a place where many Anonymous Franchise contributors hang out [10]. 
• Troll Bait: “Someone whose opinionated, volatile, easily offended, insecure nature makes them super-easy targets [for pranks] [21].” Going after trolls is one of the common themes in 4Chan and the /b forums. 
• Internet Relay Chat (IRC): simple, real-time chat system created in 1988 by a programmer named Jarkko “WiZ” Oikarinen. “IRC networks were helping Anonymous turn from an unpredictable, volatile mass of image board users into well-organized, sometimes-threatening groups [1].” 
• DDOS: Distributed Denial of Service Attack – Many computers launching packets at a single target in an effort to overwhelm the target and prevent it from functioning [23]. 
• LOIC: Low Orbit Ion Cannon – Created by Praetox, a software client that makes it easy for one user to be part of a DDOS campaign; Anonymous Franchise tool of choice for a time [8]. Anonymous supporters later deployed Mobile LOIC that allowed users to launch LOIC from their phone (No client download needed) [1][35]. 
• SQL Injection Attacks: The hacker delivers SQL commands to web applications that accept client input. Unprotected sites are vulnerable to outsiders reading sensitive database data, modifying database data or executing administration operations on the database. [32] 
• Guy Fawkes: Anonymous Franchise Icon. In history, an infamous conspirator [activist] to The Gunpowder Plot of 1605 in which a group of Catholics attempted to blow up the Houses of Parliament and kill the King. [7]. 

Along the way, Olson scuttles a few of the Anonymous Franchise myths. The main one is that not all contributors are elite hackers. In fact, most are not. Many of the Operation’s leaders are, for sure, and some of them are quite skilled. But most contributors that consider themselves part of the Anonymous movement are enthusiastic activists with a lot of Internet savvy. They can run circles around the average Joe in terms of Internet communication, but not many have ever slung any real code.

Olson describes how the leaders of the more infamous operations (Chanology, Payback, Freedom Ops, etc) understood this and leveraged it. They treated these enthusiastic activists as trolls, in some kind of perverse recursive prank, and made them think they were more important than they really were. In the early days, leaders even provided the masses a tool, the Low Orbit Ion Cannon, which allowed them to easily participate in a DDOS raid of choice. Of course, the developers of the Low Orbit Ion Cannon did not initially protect the users from prying eyes like the FBI. Law Enforcement made many arrests [23]. But the Anonymous PR machine kept churning; proclaiming the success of the hacktivist masses against evil governments and commercial empires.

The dirty secret though was that as the targets got bigger (PayPal, MasterCard, Visa), the effectiveness of the Low Orbit Ion Cannon, even with thousands of contributors, did not put a dent in the defenses of these well defended targets. It was not until the leaders leveraged their own BotNets that these web sites were brought to their knees. Of course, that was not the message the PR machine generated. In order to completely leverage the Anonymous Franchise and get the attention of the media and the intended targets, they had to proclaim that the damage was being done by the Anonymous masses. Olson calls this 

“… a mirage of power and scale [19].”

Open Source Hacktivism Milestones: 

At the end of the book, Olson lists a comprehensive timeline of significant Hacktivist events. I culled it down to the below list and supplemented it with arrest information of the core members of LulzSec since many were not arrested by the time Olson published her book.

• (November 5, 1994): First Documented Hacktivism: A group called the Zippies launches a DDoS attack on U.K. government websites, taking them down for a week starting on Guy Fawkes Day [1][12]. 
• (1996): “Hacktivism” Coined: Cult of the Dead Cow (cDc) member, Omega, coins the word "hacktivism" characterizing the group's political philosophy [12]. 
• (September 29, 2003): 4Chan Created: Christopher “moot” Poole registers 4chan.net. (It is now 4chan.org.) [1][12].
• (July 12, 2006): Habbo Hotel Attack: Users of 4chan’s /b/ raid Habbo Hotel, a virtual hangout for teens. They join the online game en masse and flood it with avatars of a black man in a gray suit and an Afro hairstyle, blocking the entrance to the virtual pool and forming swastikas [1]. 
• (January 21, 2008): Operation Chanology: A handful of Chanology participants publish a video on YouTube of a robotic voice declaring war on Scientology. This starts a multi-year campaign against the religious group. [1][13]. 
• (February 10, 2008): Guy Fawkes Masks: Anonymous supporters don masks from the film, “V for Vendetta,” and hold protests outside Scientology centers in key cities around the world such as New York, London, and Dallas, Texas [1][14]. 
• (September 17, 2010): Operation Payback: Supporters of Anonymous launch a DDoS attack on Indian software company Aiplex after it admits to launching its own DDoS attacks on BitTorrent site The Pirate Bay. Anonymous launches several more attacks against copyright companies under the banner Operation Payback. Supporters collaborate on an array of IRC networks. Tflow uses SQL injection for the first time under the Anonymous banner [1][15]. 
• (December 8, 2010): Transition from LOIC to Botnets: AnonOps launches a DDoS attack on PayPal.com, MasterCard.com , and Visa.com using 4,500 volunteers with the LOIC. The attacks only become successful when one person using a botnet takes the sites fully offline [1]. 

Note: Tflow's use of SQL injection and the franchise’s use of a Botnet marks the milestone where operation’s leaders decide they can do more damage by moving away from crowd controlled DDOS attacks.

• (2011 - 2012): Operation Tunisia / Operation Freedom Ops: OpTunisia was the first of what became the Freedom Ops, which focused largely on other Middle Eastern countries during the Arab Spring but spread much farther. For the first time, Anonymous had gotten on the winning side of a real fight, and it liked the feeling [1][14]. 
• (February 6, 2011): Aaron Barr: “Anonymous” steals tens of thousands of Aaron Barr’s corporate e-mails, private e-mails as well as those of two executives at sister company HBGary Inc. It also takes over his Twitter feed and DDoSes and defaces his site. HBGary federal goes out of business. [1][17]. 
• (April 2011): LulzSec Forms: Sabu, Topiary, Kayla, Tflow, AVunit, and Pwnsauce break away from Anonymous to form LulzSec [1]. 
• (May – June 2011): LulzSec 50 Day Hacking Spree: Sabu leads the newly formed team of elite hackers against 22 distinct commercial and government targets [1][18]. 
• (June 7, 2011): FBI turns Sabu. Federal agents come to his apartment on New York’s Lower East Side and threatened the 28-year-old with an array of charges that could add up to 124 years in prison. Sabu becomes an FBI informant [1]. 
• (June 26, 2011): LulzSec Disbands / AntiSec Forms: LulzSec announces it is disbanding after “50 Days of Lulz, ” rejoining Anonymous and creating a strictly political hacktivism group called AntiSec [1][18]. 
• (July 19, 2011) Arrest: Tflow (Mustafa Al-Bassam) arrested by British police [28]. 
• (July 27, 2011): Arrest: Topiary (Jake Davis) arrested by Shetland Islands Police [11]. 
• (September 2, 2011): Arrest: Kayla (Ryan Ackroyd) arrested by British police [29]. 
• (December 24, 2011): STRATFOR: Under the supervision of the FBI, AntiSec steals more than 5 million email messages from the U.S. security intelligence firm Stratfor and over $700,000 from Stratfor subscriber’s credit cards. A week later, AntiSec turns all of the data over to Wikileaks; the largest public D0xing the Anonymous Franchise had ever accomplished. They also donated the stolen money to various charities [1][25]. 
• (January 2012): Arrest: Pwnsauce (Darren Martyn) [24]. 
• (March 6, 2012): FBI Outs Sabu: News breaks that Hector Monsegur has been acting as an informant for the FBI for the past eight months, helping them bring charges against Jeremy Hammond of Chicago and five people involved with LulzSec.[1] [26]. 

Arguably, the event that elevated the Anonymous movement to a force to be reckoned with in government and commercial circles was the HBGary attacks of February 2011. That hacktivist attack forced a corporation (HBGary Federal) to go out of business and the core set of hackers involved broke away from the Anonymous Franchise in April of 2011 to form LulzSec. For the next 50 days, LulzSec went on a hacking rampage that eventually led to their demise and the arrest of five out of their six members [1][17]. The bulk of Olson’s book describes, in intimate detail, that one year period; the events that led to the forming of LulzSec, the drama that unfolded as they went on their 50 day hacking spree, Sabu’s betrayal to LulzSec and the impact of that betrayal to the Anonymous movement. Ms. Olson gets the details right and although she does not cover the entire Anonymous movement – other Anonymous Franchise Operations happened in parallel that did not involve LulzSec – her description of these events gives a good sense about how the Anonymous franchise operates.

LulzSec Members: 

Below is a list of the core LulzSec members. Other anonymous supporters helped but these people were the inner circle.

• Sabu – Xavier Deleon – leon (Hector Xavier Montsegur): LulzSec leader and ultimately traitor. Well connected to the underground hacker scene; not a 4CHAN user. He conquered networks, then basked in his achievement. He was more interested in the cachet of taking over entire Internet service providers (ISPs) than pranking Scientologists. [1][26] 
• Topiary- atopiary (Jake Davis) – Spokesman; not a hacker but a charismatic mouthpiece that had a knack for manipulating and entertaining the press and Anonymous contributors. [1][26] 
• Kayla – lol - lolspoon (Ryan Mark Ackroyd ) – The Ninja Hacker. Kayla claimed to be a 14 year old girl. Ackroyd actually was twenty-five and had served in the British army for four years, spending some of that time in Iraq. He was the most extreme at protecting his/her private persona. [1][26] 
• Tflow (Mustafa Al-Bassam): Successful student and skilled hacker; under age at the time of his arrest. [28] 
• Pwnsauce – raepsauce - networkkitten (Darren Martyn): technically adept with a healthy professional life [24][26]. 
• AVunit: Elite hacker and the only LulSec crew member that did not get caught [1]. 

The Tech:

Ms. Olson does a really good job of explaining the tech that some of the Anonymous Franchise members used.

Web Site Recon Tools: Kayla used a powerful web script that let her scan the Internet for websites with exploitable vulnerabilities [1].

Hashkiller.com: A website that stores cracked and ready-to-be-cracked password hashes [1].

Gigaloader / JMeter: Web stress tools adopted by early Anonymous supporters to direct DDOS attacks against targets [1][30][31].

Havij: Lulzsec member’s favorite tool for SQL injection attacks [1]. “Automates bad guys' SQL injection attacks by detecting the database behind a targeted website, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes on the target. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting [34].”

HideMyAss: Sabu bought accounts with virtual private networks, like HideMyAss, to better hide their ring of supporters and also to get more server space. When the FBI came knocking though, HideMyAss gave them up [1].

Drive By Attacks: Enticing someone in a chat room to visit a compromised website and installing malware on their system as a result [1].

Money Laundering through Second Life Gaming Worlds:

• Buy the in-game currency (Lindens). 
• Convert that money into U.S. dollars via a currency transfer site (VirWoX) 
• Place those dollars into a Moneybookers account. 
• Finally, transfer that money into a personal bank account. 

Money Laundering through Bitcoin:

Bitcoin address 1 → Bitcoin address 2 → Bitcoin address 3 → Liberty Reserve (a Costa Rican payment processor) account → Bitcoin address 4 → Bitcoin address 5 → second Liberty Reserve account → PayPal account → bank account.

Kayla’s OPSEC Procedures: By all accounts, Kayla was the most disciplined when it came to protecting her online persona. Below are just some of the things she routinely did. In the end though, the best OPSEC procedures could not protect her from an Insider Threat (Sabu).

• Rotated passwords almost daily [1]. 
• Hid data on tiny microSD cards [1]. 
• Booted operating systems from a USB stick [1]. 
• Used a VM (virtual machine) to do all hacking work. VMs acted as buffers between her computer and her life online. If anyone ever hacked her, he’d only get to the VM [1]. 
• Avoided using a virtual private network (VPN). VPN providers could always provide details to the police (As did HackMyAss when the FBI asked them for the online records pertaining to LulzSec) [1]. 
• Used a low-end cell phone with an unregistered SIM card to record all her passwords [1]. 
• Partitioned a small drive called sys on her phone that she used to store malicious code [1]. 
• Stored operating systems on a microSD card inside an encrypted MP3 player: a 32 GB SanDisk microSD, inside an 8 GB SanDisk MP3, inside an encrypted volume. Opening it now required a password and several key files, which were five MP3 songs out of thousands on his player [1]. 

Conclusion:

This book is a must read for all cyber security professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. I would put this in my list of Essential Cyber Security Books for Historical Context; those books that represent a fundamental aspect to Cyber Security like

Cyber Crime:

• "Fatal System Error: The Hunt for the New Crime Lords" by Joseph Menn 
• “Kingpin” by Kevin Poulsen 

Cyber Security Community

• "Worm" by Mark Bowden 

Cyber Warfare

• “Cyber Warfare: The Next Threat to National Security and What to Do about It” by Richard Clarke and Robert Knake 
• “Cyber Warfare: Techniques, Tactics and Tools for the Security Practitioners" by Jason Andress and Steven Winterfeld 

Sources:

[1] "We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency," by Parmy Olson, Published June 5 2012 by Little Brown and Company.

[2] “We Are Legion," Documentary produced, written and directed by Brian Knappenberger, 2012, Last Visited 8 May 2013
http://www.youtube.com/watch?v=gae0z5XRbHo

[3] “LulzSec hackers plead guilty, admit attacks on CIA, SOCA, Sony and others," by Graham Cluely, nakedSecurity - Sophos, April 9 2012, Last Visited 8 May 2013
http://nakedsecurity.sophos.com/2013/04/09/lulzsec-topiary-jake-davis-tflow/

[4] “Teenager arrested on suspicion of hacking," by BBC News Technology, June 21 2011, Last Visited 8 May 2013
http://www.bbc.co.uk/news/technology-13859868

[5] “9 Ways Hacktivists Shocked The World In 2012," by Mathew J. Schwartz, InformationWeek Security, December 21, 2012, Last Visited 8 May 2013
http://www.informationweek.com/security/attacks/9-ways-hacktivists-shocked-the-world-in/240145117?pgno=1

[6] “Deconstructing the Al-Qassam Cyber Fighters Assault on US Banks," by Holden, Analysis Intelligence, January 2013, Last Visited 8 May 2013
http://analysisintelligence.com/cyber-defense/deconstructing-the-al-qassam-cyber-fighters-assault-on-us-banks/

[7] “V for Vendetta," Last Visited 8 May 2013
http://www.shadowgalaxy.net/Vendetta/fawkes.html

[8] “What is LOIC," by Joel Johnson, Gizmodo, December 8 2012, Last Visited 8 May 2013
http://gizmodo.com/5709630/what-is-loic

[9] “What is 4chan," 4chan, Last Visited 8 May 2013,
http://gizmodo.com/5709630/what-is-loic

[10] “An Interview With The Founder of 4chan," by Rex Sorgatz, Fimoculous, February 18 2009, Last Visited 8 May 2013
http://gizmodo.com/5709630/what-is-loic

[11] “Man arrested over computer hacking claims," BBC News UK, July 27 2011, Last Visited 8 May 2013
http://www.bbc.co.uk/news/uk-14315442

[12] “Hacktivism: A Short History," by TY MCCORMICK, Foreign Policy, May/June 2013, Last Visited 9 May 2013
http://www.foreignpolicy.com/articles/2013/04/29/hacktivism

[13] “How Anonymous Works," Nathan Chandler, HowStuffWorks.com, 09 May 2013, Last Visited 9 May 2013
http://computer.howstuffworks.com/anonymous.htm

[14] "Dozens of masked protesters blast Scientology church," by John S. Forrester, boston.com, February 11, 2008, Last Visited 9 May 2013
http://www.boston.com/news/local/articles/2008/02/11/dozens_of_masked_protesters_blast_scientology_church/

[15] "Operation Payback: WikiLeaks Avenged by Hacktivists," By Tony Bradley, PCWorld, Dec 7, 2010, Last Visited 9 May 2013
http://www.pcworld.com/article/212701/operation_payback_wikileaks_avenged_by_hacktivist s.html

[16] “2011: The Year Anonymous Took On Cops, Dictators and Existential Dread," by BY QUINN NORTON , Wired, Jan 11, 2012, Last Visited 9 May 2013
http://www.wired.com/threatlevel/2012/01/anonymous-dicators-existential-dread/

[17] "HBGary Federal's Aaron Barr Resigns After Anonymous Hack Scandal," by Andy Greenberg, Forbes, February 28, 2011, Last Visited 9 May 2013
http://www.wired.com/threatlevel/2012/01/anonymous-dicators-existential-dread/

[18] "LulzSec Shutting Down After 50-Day Hacking Spree," by Chloe Albanesius, PCMAG.COM, June 25, 2011, Last Visited 9 May 2013
http://www.pcmag.com/article2/0,2817,2387581,00.asp

[19] Parmy Olson Interview, John Stewart, The Daily Show, , June 18, 2012, Last Visited 9 May 2013
http://www.thedailyshow.com/watch/mon-june-18-2012/parmy-olson

[20] Parmy Olson Interview, RT News, April 6, 2013, Last Visited 9 May 2013
http://www.youtube.com/watch?v=FYq-jKiZAv0

[21] “Troll Bait”, Urban Dictionary, Last Visited 9 May 2013
http://www.urbandictionary.com/define.php?term=TROLL%20BAIT

[22] "Gun background check compromise, assault weapon ban fail in Senate," by Ed O'Keefe, The Washington Post, April 17, 2013, Last Visited 11 May 2013
http://www.washingtonpost.com/blogs/post-politics/wp/2013/04/17/senate-to-vote-on-amendments-to-gun-bill-with-background-check-plan-in-doubt/

[23] "WHAT IS A DDOS ATTACK?," Verisign, Last Visited 11 May 2013
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/ddos/ddos-attack/index.xhtml

[23] "16 Arrested as F.B.I. Hits the Hacking Group Anonymous," By SOMINI SENGUPTA, New York Times, July 19, 2011, Last Visited 11 May 2013
http://www.nytimes.com/2011/07/20/technology/16-arrested-as-fbi-hits-the-hacking-group-anonymous.html?_r=0

[24] ""BEHIND THE MASK, ACCUSED LULZSEC MEMBERS LEFT TRAIL OF CLUES ONLINE," By Paul Roberts, threat post, March 10, 2012, Last Visited 11 May 2013
http://threatpost.com/behind-mask-accused-lulzsec-members-left-trail-clues-online-031012/

[25] "10 things you need to know about Anonymous’ Stratfor hack," by Sean Ludwig, Venture Beat, December 28, 2011, Last Visited 11 May 2013
http://venturebeat.com/2011/12/28/anonymous-stratfor-hack-10-things-to-know/#RoCDFX3wZ0o6WyJz.99

[26] "Six Hackers in the United States and Abroad Charged for Crimes Affecting Over One Million Victims ," U.S. Attorney’s Office, Southern District of New York, March 06, 2012, Last Visited 11 May 2013
http://www.fbi.gov/newyork/press-releases/2012/six-hackers-in-the-united-states-and-abroad-charged-for-crimes-affecting-over-one-million-victims

[27] "Six Hackers in the United States and Abroad Charged for Crimes Affecting Over One Million Victims ," U.S. Attorney’s Office, Southern District of New York, March 06, 2012, Last Visited 11 May 2013
http://www.fbi.gov/newyork/press-releases/2012/six-hackers-in-the-united-states-and-abroad-charged-for-crimes-affecting-over-one-million-victims

[28] “Pictured for the first time: British teenage hacker, 18, who took part in cyber attacks on the CIA and the Serious Organised Crime Agency," by KERRY MCDERMOTT, 9 April 2013, DailyMail ," Last Visited 11 May 2013
http://www.dailymail.co.uk/news/article-2306331/Mustafa-Al-Bassam-Pictured-The-British-teenage-hacker-18-took-cyber-attacks-CIA.html#ixzz2T013Ztmr

[29] “Hacker “Kayla” taken down in latest LulzSec arrests," by Peter Bright, Sept 2 2011, ars technica," Last Visited 11 May 2013
http://arstechnica.com/tech-policy/2011/09/kayla-taken-down-in-latest-lulzsec-arrests/

[30] “Click 'n Hit: How Supporters Of Anonymous Are Making It Easier To Cripple Websites," by Parmy Olson, February 17 2012, Forbes, Last Visited 11 May 2013
http://www.forbes.com/sites/parmyolson/2012/02/17/click-n-hit-how-supporters-of-anonymous-are-making-it-easier-to-cripple-websites/2/

[31] “Apache JMeter," The Apache Software Foundation, Last Visited 11 May 2013
http://jmeter.apache.org/

[32] “SQL Injection," OWASP – The Open Web Application Security Project, Last Visited 11 May 2013
https://www.owasp.org/index.php/SQL_Injection

[33] "Using Online Password Crackers," by Matt Weir, Reuseable Security, 24 June 2009, Last Visited 12 May 2013
http://reusablesec.blogspot.com/2009/06/using-online-password-crackers.html

[34] "Cybercrime's Love Affair With Havij Spells SQL Injection Trouble," by Ericka Chickowski, Dark reading, 28 March 2012, Last Visited 12 May 2013
http://www.darkreading.com/database/cybercrimes-love-affair-with-havij-spell/232700449

[35] "Mobile LOIC," by DDOSpedia, Radware, Last Visited 12 May 2013
http://security.radware.com/knowledge-center/DDoSPedia/mobile-loic/