Second LulzSec Sony Hacker Suspect Arrested

A second alleged member of LulzSec has been arrested on charges of having hacked the Sony Pictures website last year.

The FBI Tuesday announced the arrest in Phoenix of Raynaldo Rivera, 20, after he was named in a federal grand jury indictment. The indictment, which was returned on August 22 but not unsealed until Tuesday, charged Rivera on two counts: unauthorized impairment of a protected computer and conspiracy. If convicted on all counts, Rivera faces up to 15 years in prison.

According to the indictment, LulzSec (a.k.a. Lulz Security) launched attacks against the Sony Pictures website between May 27 and June 2, 2011. The indictment noted that the group later anonymously took credit for the exploit, saying it had been accomplished via a SQL-injection attack.

Like other alleged members of LulzSec, Rivera appears to have more than a passing interest in computers. "On Rivera's Facebook page, he describes himself as 'just your common computer geek,' and appears to have recently left a job at the University of Advancing Technology in Tempe, Arizona," said Graham Cluley, senior technology consultant at Sophos, in a blog post.

[ Is your hotel lock secure? See Hotel Keycard Lock Hacker Questions Firmware Fix. ]

According to the indictment, Rivera's co-conspirator in the attack was Cody Kretsinger, then 23. A previous indictment relating to the Sony attack was handed down in September 2011, and it named Kretsinger. He was arrested in Phoenix, and pleaded guilty to the charges in April, reversing an earlier not-guilty plea. Kretsinger is due to be sentenced on October 25.

According to a Pastebin post in which LulzSec claimed credit for the Sony Pictures attacks, the group boasted that it had obtained one million Sony website users' passwords, and that they hadn't been encrypted. "From a single injection, we accessed everything," according to the LulzSec statement. "What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it's just a matter of taking it." But the group said it had only had time to post 150,000 of the stolen usernames and passwords to the LulzSec website.

Authorities have accused Rivera of taking the information stolen from Sony and posting it online, including names, passwords, birthdates, email and postal addresses, and phone numbers of people who'd entered Sony contests.

Sony estimated that the attack led to $600,000 in clean-up costs. But Sony also faces at least one class-action lawsuit over the more than dozen breaches it suffered last year. In the wake of the exploit, embarrassing evidence emerged that Sony had recently laid off many of its information security personnel.

How did authorities track down Rivera? According to the indictment, which accused Rivera of using the aliases "Neuron," "Royal," and "Wildicv," he'd attempted to mask his IP address and remain anonymous by using a proxy server. That detail is telling, since the FBI busted Kretsinger (a.k.a. "Recursion") after VPN service provider HideMyAss.com was served with a court order seeking information related to several LulzSec exploits, including attacks against Sony, the U.K.'s Serious Organized Crime Agency, as well as NATO. While U.K.-based HideMyAss.com had promised that its service masks users' identities "behind one of our anonymous IP addresses," the company said it had no choice but to comply with the court order.

According to previously published LulzSec chat logs, Recursion, LulzSec spokesperson Topiary, and Neuron claimed to be using HideMyAss.com.

Authorities have now arrested multiple LulzSec suspects across Ireland, the United Kingdom, and the United States. Related law enforcement investigations have been aided by Hector Xavier Monsegur, better known as LulzSec leader and Anonymous mastermind Sabu. He was secretly arrested by the FBI in June 2011, after which he began working as a confidential informant, and later pleaded guilty to all charges against him. In recently filed court documents, the FBI requested a six-month delay in his sentencing, "in light of the defendant's ongoing cooperation with the government."

Vulnerability scanners can be used to help detect and fix systemic problems in an organization's security program and monitor the effectiveness of security controls. However, a vulnerability scanner can improve the organization?s security posture only when it is used as part of a vulnerability management program. In our Choosing The Right Vulnerability Scanner report, we give you tips on choosing and implementing vulnerability scanners in your enterprise. (Free registration required.)