For more than a year, The Jester ( @th3j35t3r on Twitter) has been a thorn in Anonymous’s side, taunting the movement’s organizers even as he attacked some of the same targets. But his main targets have been English-language websites that recruit followers for al-Qaida and other militant Islamic movements, and he has claimed to have developed tools that let him knock such sites offline single-handedly.
On Friday evening (March 9), The Jester used his blog to detail an complicated hack against devices running Android as well as Apple’s iOS, which is found on iPhones and iPads.
“At the beginning of this week, just hours before the news of Hector Monsegur’s arrest broke, many of you will have noticed that my Twitter profile pic changed from the usual ‘Jester Mask’ to a QR code,” The Jester wrote on his blog Friday. (Monsegur was revealed last Tuesday as “Sabu,” a leader of the Anonymous spinoff group LulzSec who’d been working with the FBI for the past several months.)
QR codes, as regular SecurityNewsDaily readers know, are a security nightmare. The two-dimensional barcodes, which pop up in ads and on product packaging, are meant to whisk your iPhone or other smartphone to a promotional website. However, they could just as easily take you to a website loaded with malware aimed at your smartphone.
That’s exactly what The Jester says he did.
“Anyone who scanned the QR code using their mobile device was taken to a jolly little greeting via their device’s default browser hosted on some free webspace,” he wrote on his blog. “The greeting featured my original profile pic and the word ‘BOO!’ directly below it.”
But embedded in that page was hidden code that exploited a known vulnerability for Apple’s Safari and Google’s Android and Chrome Web browsers. (That known vulnerability has supposedly been patched in the latest versions of iOS and Android, but as both Weidman and Zdziarski pointed out, many smartphone users either don’t or can’t update their own phones.)
The hidden website code connected to another server, which was running a network diagnostic tool called Netcat.
“When anyone scanned the original QR code using an iPhone or Android device, their device would silently make a TCP shell connection back to my remote server,” The Jester wrote. “Like a phone call, if you like.”
Next, The Jester said, Netcat checked if Twitter software was installed on the target phone. If so, the script would check for a linked Twitter account, then send that account’s user name back to The Jester’s server.
“As for using QR codes to launch browser-based exploits, Jester’s explanation is correct,” Weidman said. “Mobile Safari has to run unsigned code since Web pages, PDFs, etc., are not all signed by Apple, and if you couldn’t look at webpage on your iPhone, everyone would buy Androids.”
Crossing the line?
So far, there’s nothing explicitly illegal or even, arguably, unethical here. The Jester’s software has only been listening to see how much information a social-networking app will give up. Many “proof-of-concept” hacks developed by security researchers are similar.
The next step is where it gets malicious. The Jester said his script cross-checked each harvested Twitter user name against a “hit list” of Twitter accounts associated with Anonymous news sites and chat rooms, Islamist recruiting sites and WikiLeaks.
“His payload checking Twitter names for the victims he wanted and then only targeting them is something I find pretty clever,” Weidman said. “As for the privilege escalation and dumping info off the phones, this is pretty standard in a jailbreak/root or malicious attack. This is common in mobile malware.”
Like The Jester himself, many hacktivists associated with Anonymous, LulzSec and similar groups communicate mainly via Twitter. (The Justice Department has begun to subpoena Twitter for the real names behind many accounts.)
Two known individuals were also on The Jester’s hit list: Barrett Brown and Rhode Island state Rep. Dan Gordon, whose apparent chumminess with Anonymous had raised The Jester’s ire.
(“I had no idea it was something one could scan, much less with their phone,” Brown said of the QR code. “The FBI took my phone last week anyway, so it wouldn’t have mattered if I had.”)
“If the prerequisite conditions outlined above were met and the device’s Twitter client WAS associated with an account on the ‘[hit] list,’’ things got very interesting,” The Jester wrote on his blog. “Another script fired elevating permissions and raping the SMS logs, call logs and phonebooks and (as long as the user was using the default out of the box email client) emails stored within.”
In other words, if the Twitter user name matched one on The Jester’s enemies list, then a second piece of programming tried to take over the targeted phone. If it succeeded, it would access archived SMS text messages, incoming- and outgoing-number logs, archived emails and address books/contact lists, then send all that data back to The Jester’s server.
“Creepy?” The Jester asked rhetorically on his blog. “Only if you are naughty.”
Good guys vs. bad guys
The Jester wrote on his blog that this “sting” went on for five days, until another Twitter user noticed the embedded code and asked him about it. But, he wrote, that was long enough to gather a lot of data.
Advertise | AdChoices
“Over 1,200 curious netizens scanned the QR code,” he wrote. “Of those, over 500 devices reverse-shelled back to the listening server. Of those, a significant number were on the ‘[hit]-list’ and as such treated as valid targets.”
As for the justification for all this, The Jester was very clear.
“EVERYONE else without exception was left totally ‘untouched’ so to speak,” he wrote. “This was a proof-of-concept QR-code-based operation against known bad guys, the same bad guys that leak YOUR information, steal YOUR [credit-card numbers] and engage in terror plots around the world. I do not feel sorry for them.”
Today (March 12), The Jester posted an encrypted 143-megabyte file containing all the data he’d extracted to MediaFire, a file-sharing site.
“It’s encrypted with my PGP public key,” he wrote, referring to a common encryption standard. “Have fun with that.”
In a private communication, SecurityNewsDaily asked The Jester why he’d encrypted the information rather than post it in regular, plain text.
“I encrypt my [data] dumps as a matter of course because I am not the same as my detractors who drop personal info all the time,” he replied. “The right people have the plain text dump. It would be highly irresponsible of me to be dropping anything in the open.”
But The Jester wouldn’t let on to what he hoped to accomplish by doing this.
“Many folks are trying to analyze and prod at my methods,” he told SecurityNewsDaily. “The truth is they don’t know me, can’t find me and speculate as to how I do my thing.
“Everything anyone says (good or bad) is based on assumptions and conjecture,” he added. “That’s the way I like it. Nobody has any firm ground to stand on.”
Without knowing what’s in the data dump, it’s hard to assess how much damage the information could do to Anonymous, or to the various al-Qaida-affiliated websites also targeted.
“[It] would depend on who exactly was compromised,” Brown said.
Asked whether The Jester’s tactics were justified, Brown was equivocal.
“It’s certainly justified within the context of this particular engagement, one in which things get hacked, people get monitored, documents get stolen and apartments get raided,” he said. “I’m certainly a legitimate target for such things.”
Is the FBI listening?
However, as SecurityNewsDaily pointed out to both men, The Jester with this action has moved beyond attacking Jihadi sites and trying to establish the identities of Lulzsec members to targeting known U.S. citizens with malware. Was he worried that doing so might put him in the cross hairs of law enforcement?
“As far as LEA’s [law enforcement authorities] taking an interest in me, we will have to wait and see,” he told SecurityNewsDaily.
Brown doesn’t think The Jester needs to worry, as long as he sticks to attacking perceived enemies of the state.
“I’m not convinced he’s upset U.S. law enforcement at all,” Brown said. “You’re allowed to break all sorts of laws if you do so in the interests of national security.
“Like me, that particular congressman [Rep. Dan Gordon, actually a state representative] is no friend of the national security state,” Brown added. “As such, we’re legitimate targets. Remember that this is a country in which the Justice Department set the Team Themis/Wikileaks affair in motion. If it weren’t such a country, Anonymous wouldn’t be necessary.”
The Jester doesn’t sound too worried that a SWAT team’s going to bust down his door any time soon.
Reminded that Twitter was receiving subpoenas for information on users, he replied, “There is no identifying information held in my profile, and I never connect even close to directly. It’s a rule of mine.”