LulzSec Hackers Get a Lesson in CYA

By Carlton Purvis

A proxy service LulzSec hackers used hoping to hide their IP addresses may ultimately become the undoing of the group.

The FBI announced on Thursday that it had arrested Cody Kretsinger, also known as the LulzSec hacker “Recursion,” for an attack against the computer systems of Sony Pictures Entertainment that affected more than 70 million users. Kretsinger used an online proxy service provided by to hide his information when hacking Sony.

What the hackers like Kretsinger don’t realize is that although proxy services like hide a user's IP in outbound connections, they still see the IP on inbound connections, says Jason Lackey of Cisco. Lackey wrote a blog expressing his disappointment over Kretsinger’s arrest. He’d met Krestsinger at the annual Black Hat conference earlier this year.

“I was not sad to see the good guys bust a cybercriminal, but I was sad to see a nice guy I had met and talked to briefly at BlackHat Las Vegas 2011 turn out to be a suspect wanted by the FBI,” he wrote in a blog post a day after the arrest. The post contains one of the few pictures available online of Kretsinger.

It was revealed earlier this year that LulzSec members used HideMyAss after the Guardian published LulzSec’s leaked chat logs.

"It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service," HideMyAss said in a statement. "No action was taken, after all, there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using."

But after a court order was received asking for information about the users, HideMyAss complied, providing them with a log of when the users had connected.

Defending their practice of keeping track of users who connect to their service, HideMyAss said the information is used to prevent abuse of the service and stop illegal activity.

“Being able to locate abusive users is imperative for the survival of operating a VPN service, if you cannot take action to prevent abuse you risk losing server contracts with the underlying upstream providers that empower your network. Common abuse can be anything from spam to fraud, and more serious cases involve terrorism and child porn."

The main type of logging HideMyAss does is called session logging. Session logging records when a customer connects or disconnects from its server. The information logs who connected and to what sites and at what time.


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.