Anonymous, LulzSec Dump Data from 70 Sheriffs' Offices

Anonymous continued its attacks against law enforcement agencies to protest recent arrests of Anonymous members and Topiary by breaching a third-party marketing firm hosting 70 law enforcement Websites.

Under the banner of its "AntiSec" campaign, the so-called "hacktivist" collective Anonymous and its counterparts in the recently resurrected LulzSec struck again, this time going after multiple law enforcement agencies in the United States, Ecuador and Brazil. The group also defaced Websites belonging to the Syrian and Colombian governments.

The attackers uploaded a 7.4GB file via BitTorrent on Aug. 6; the file contained more than 300 email boxes from 56 different law enforcement domains, personal details belonging to more than 7,000 sheriffs in Missouri, online police-training videos, and a list of 60 people who called in about Anonymous on the tips hotline. Dubbed "Shooting the Sheriffs," the file contained personal details such as user names, passwords, home addresses, telephone numbers and Social Security numbers.

All in all, 70 law enforcement agencies, mostly rural sheriffs, were hit in the latest AntiSec campaign. The stolen data came from 76 Websites in 11 states, including Arkansas, Louisiana, Kansas, Missouri and Mississippi, and was stolen during the July 31 attack. The current dump appears to be related to the sample of Social Security numbers belonging to 100 police officers that Anonymous leaked previously.

"We are doing this in solidarity with Topiary and the Anonymous PayPal LOIC defendants as well as all other political prisoners who are facing the gun of the crooked court system," the attackers wrote in the file's summary on BitTorrent.

Topiary refers to the spokesperson of LulzSec, who the British police arrested in Scotland last month and charged with five counts of computer misuse, including unauthorized access to a computer system, encouraging or assisting offenses, conspiracy to carry out distributed denial-of-service attacks, and conspiracy to commit computer misuse offenses. He is out on bail and is banned from using the Internet.

The Federal Bureau of Investigation also arrested 16 individuals in July for participating in a distributed denial-of-service attack against PayPal earlier in the year using the Low Orbit Ion Cannon tool.

Anonymous said the goal was to "embarrass, discredit and incriminate police officers across the U.S.," in retaliation for the ongoing arrests of Anonymous members.

Mountain Home, Ark.-based online marketing firm Brooks-Jeffrey Marketing hosted and managed Websites for the affected law enforcement agencies. The attackers discovered a vulnerability in BJM's servers that allowed them access, according to the AntiSec press release. It appears that BJM discovered the data breach against several of its law enforcement Websites on its platform and took them offline, but failed to fix the underlying vulnerability or remove the backdoor code before adding new sites.

"We were surprised and delighted to see that not only did they relaunch a few sites less than a week later, but that their 'bigger, faster server that offers more security' carried over our backdoors from their original box," said the AntiSec statement. "This time, we were not going to hesitate to pull the trigger: In less than an hour, we rooted their new server and defaced all 70+ domains, while their root user was still logged in and active."

Application Security CTO Josh Shaul told eWEEK in the past that IT administrators often just close the security hole when a breach is detected, but neglect to perform a full audit to check for other vulnerabilities or changes the attackers made. This way, backdoor code and malware remains undiscovered and allows attackers to re-compromise the system repeatedly.

The attackers also created a backdoor into BJM's online store, captured credit card numbers and used them to make "involuntary donations" to varied organizations such as the American Civil Liberties Union, the Electronic Freedom Foundation and the Bradley Manning Support Network.

"The fact that credit card numbers were stolen and used because they were stored in the clear just shows that companies need to understand how to protect sensitive data on servers exposed to the Internet," Wasim Ahmad, vice-president of data security at Voltage Security, told eWEEK. Data-centric encryption techniques should have been used, Ahmad said.

Anonymous members also defaced the Syrian ministry of defense Website to protest the government's deadly crackdown against demonstrators; defaced Facebook and Twitter accounts belonging to German Vargas Lleras, Colombia's minister of the interior, to protest a new copyright law; and released information about 45,000 Ecuadorian police officers after the government said it would prosecute Anonymous participants.

On the Syrian Website, the group posted statements in Arabic and English, with the English statement expressing support for Syrian demonstrators: "The world stands with you against the brutal regime of [Syrian President] Bashar Al-Assad."

Hackers in Brazil leaked 8GB of data relating to Operation Satiagraha, a Federal Police investigation that resulted in a corruption conviction for a prominent banker recently. The dump included sensitive documents, audio files, telephone wiretap transcripts, video and photographs.