Australian LulzSec hacker arrested
Australian police have arrested IT security professional and self-proclaimed leader of an international hacking ring Matthew Flannery after he allegedly infiltrated a government website this month.
The 24-year-old man, from Point Clare on the NSW central coast, claims to be a leader of the international hacking group LulzSec.
LulzSec, an abbreviation of ''lulz'' (laughs) and security, was formed in 2011. The group has claimed responsibility for multiple high-profile cyber attacks, including against Sony, Rupert Murdoch's News International, the CIA and other government organisations. They are also associated with prominent international hacking group Anonymous.
Flannery, known online as Aush0k, is a "well-informed" IT professional who worked for Sydney-based firm Content Security. The company said he was a recent hire and has been dismissed since being arrested on Tuesday evening, and no longer has access to Content Security's building or computer system.
The AFP said Flannery had access to sensitive information from clients that included government agencies.
But the company has denied this. "Flannery did not and does not have access to any customer information that was or could have been used to carry out any malicious activity or compromise systems," it said in a statement.
Content Security said that although Flannery had undergone thorough background checks during his employment, the company was in the process of retraining an independent company to audit their employment process.
"He is a well-respected person within the Anonymous community, within LulzSec and that side of the house, but he has also worked in the IT professional field," said Brad Marden, co-ordinator for cyber crime operations at the AFP.
Police say Flannery used information gathered from his workplace to gain access to and deface a government website from his computer, which has been seized by police. Police would not confirm details of the hack or the website, but said that it was not a federal government site.
"He took advantage of a commonly known exploit to access the [website], and then put a back door in so that he could gain further access to the website and also posted other things on that website", said Superintendent Marden.
Flannery is not thought to have accessed personal private information stored on the site.
"We are not dealing with small petty crime here," said Commander Glen McEwen, manager of cyber crime operations at the AFP. "The potential for such access has huge ramifications for society.
"The potential for damage is immeasurable. This is not harmless fun. This is serious."
Flannery appears to have been working alone, police said, but has been involved with LulzSec for some time, and his multiple claims to be a figurehead of the group did not go unchallenged by other members of the online community.
Flannery's LinkedIn profile claims that he works for security firm Tenable Network Security, but the company has denied this. "Matt Flannery is not and has never been an employee of Tenable Network Security," chief research officer Renaud Deraison told Fairfax Media.
"We're in touch with LinkedIn to have this misrepresentation of Mr Flannery's employment record corrected on his profile."
Police said his arrest at work on Tuesday evening in Sydney was the first by the AFP of a LulzSec member.
In the United States last week, LulzSec hacker Cody Kretsinger, 25, who pleaded guilty last year to a computer breach of Sony Pictures Entertainment, was sentenced to one year in prison and community service.
In April, British LulzSec hacker Ryan Ackroyd, 26, pleaded guilty to cyber attacks on Sony, Nintendo, News International and the Arizona State Police.
The AFP said they discovered the man's online activities less than two weeks ago, as part of investigations into cyber crime. He is allegedly known to international law enforcement agencies.
Flannery was released on bail on Tuesday evening. A spokesman for NSW Local Courts confirmed to IT Pro he will face court on May 15 on charges of unauthorised access and modification to restricted data.
Got a tip? Email firstname.lastname@example.org
The AFP advised IT businesses to:
- Provide employee awareness and education programs;
- Monitor content going into and out of networks;
- Implement acceptable use policies for wireless technology, information technology and mobile devices;
- Complete background checks on staff;
- Conduct mandatory reporting of misuse and abuse of computer equipment;
- Complete a set of written standard operating procedures for technology;
- Manage account and password policies.