• United States



It’s all fun and games until someone LulzSec’s an eye

Mar 06, 20123 mins
Application SecurityCloud SecurityCybercrime

LulzSec’s leader appears to have dealt his organization a fatal blow — in the dumbest of ways.

Fox News has an exclusive this morning on how Hector Xavier Monsegur, an unemployed, 28-year-old father of two, allegedly commanded LulzSec’s international team of hackers from his nerve center in a public housing project on New York’s Lower East Side, using the nickname “Sabu.” From the Fox report:

Law enforcement agents on two continents swooped in on top members of the infamous computer hacking group LulzSec early this morning, and acting largely on evidence gathered by the organization’s brazen leader — who sources say has been secretly working for the government for months — arrested three and charged two more with conspiracy.

Charges against four of the five were based on a conspiracy case filed in New York federal court, has learned. An indictment charging the suspects, who include two men from Great Britain, two from Ireland and an American in Chicago is expected to be unsealed Tuesday morning in the Southern District of New York.

“This is devastating to the organization,” said an FBI official involved with the investigation. “We’re chopping off the head of LulzSec.”

The news comes a week after the CEO of CloudFlare admitted protecting LulzSec. At the RSA conference, CloudFlare CEO Matthew Prince said his company was part of what he described as an intense experience that was at times alarming, but ultimately quite educational, as his company provided security protection for the group everyone wanted to take down.

My colleague Joan Goodchild wrote this from the conference:

On June 2nd, 2011, the antisec hacker group known as LulzSec launched a web site. Although they had been an active hacking group for several weeks, the creation of was their first official web presence other than the Twitter account they had been using.

Shortly after launching, the group experienced a denial-of-service attack and the site was taken down. But within 45 minutes, they were back up and running again — and they had created an account with CloudFlare, a cloud-based security and performance service for web sites. CloudFlare offers both free and commercial services, and LulzSec had signed up for a free account.

During the time CloudFlare provided services to LulzSec, they saw a myriad of attacks from all over the globe that ranged from Layer Seven attacks that Prince described as “harmless,” to one he termed as “clever” — an IP scan and attack on CloudFlare’s router interfaces. None were successful in taking down LulzSec.

The peak day, according to Prince, was on June 16th when they saw 21 gigabytes of attack traffic. It was shortly after LulzSec had taken down several popular gaming sites, including Minecraft.

“You can’t pay for pen testing like this. Once we realized we were going to survive, it was actually kind of a fun experience for us,” said Prince.

Of course, the best security company in the world can’t protect you when you insist on making a public spectacle of yourself, as Monsegur chose to do.