HideMyAss Anonymous VPN Shops Lulzsec Suspects

0 0 10 Comments

HideMyAss has admitted it does not hide people’s online asses if they use its service for illegal purposes, the anonymous VPN service, has admitted that it handed over the details of one of the alleged Lulzsec hackers who attacked systems belonging to Sony Picture Entertainment.

The HideMyAss service is based in the UK and provides a free proxy that tell users they can “surf anonymously online, hide your IP address, secure your internet connection, hide your internet history, and protect your online identity.”

Last week the alleged Lulzsec hacker known as ‘Recursion’, aka Cody Andrew Kretsinger, 23, of Phoenix, Arizona, was arrested by the FBI.

Court Order

HideMyAss explained that it had complied with a court order to disclose Kretsinger’s IP address that he had used to log into the HideMyAss service.

Kretsinger had allegedly used’s web proxy service to disguise his IP (internet protocol) address whilst he was supposedly hacking into Sony Picture Entertainment servers.

That hack was part of the attack earlier this year on Sony that exposed the the names, birth dates, addresses, emails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony.

And HideMyAss defended its role in handing over the IT address to the FBI in a blog posting.

“We have received concerns by users that our VPN service was utilised by a member or members of the hacktivist group ‘lulzsec’,” it wrote. “It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some (Lulzsec) members were using our service.”

“No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using,” HideMyAss said. “At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases.”

Illegal Activity

HideMyAss went on to explain that as stated in its terms of service and privacy policy, its service is not to be used for illegal activity, and as a legitimate company it would co-operate with law enforcement if it receive a court order (equivalent of a subpoena in the US).

“Our VPN service and VPN services in general are not designed to be used to commit illegal activity,” it said. “It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.”

It said its service was designed to be used by people wishing to bypass censorship, such as the recent Egyptian revolution “for which our service played a key role for protesters gaining access to websites such as Twitter which were blocked by the government.”

However it seems that Kretsinger may not be the only Lulzsec hacker that used HideMyAss.

Hacker Anger

According to the Guardian newspaper, HideMyAss may also be close to revealing the IP details of another alleged hacker with the online tag of ‘Neuron’, who may also be facing imminent arrest.

The newspaper cited the Pastebin logs, which show that “Neuron” and “Recursion” are not the same person, as the two were in the same chatroom at the same time, and on one occasion addressed each other directly. Recursion then apparently quit the group after it attacked an FBI-related site early in June, but Neuron remained.

Predictably the decision by HideMyAss to reveal Recursion’s IP address has not gone down well in the hacker community.

“Question @HideMyAssCom: Was it worth to rat out one guy who allegedly hacked #PSN in exchange for all your business? You will find out soon,” AnonymousIRC tweeted.

Meanwhile one of HideMyAss’s rivals lost little time in touting for business.

AirVPN said in a statement that it does not keep logs in the way that HideMyAss does: “we would like to reassure our users and our customers that nothing like that [handover of logs] may happen with AirVPN, for a series of legislative.”

It also said that it was based in the EU, not in the USA, and that it does not recognise American jurisdiction.

Register to receive TechWeekEurope Security Roundup