Feeds

Security researchers' accounts ransacked in embarrasing hacklash

'War' aims to shame

Using blade systems to cut costs and sharpen efficiencies

On Sunday morning, security consultant Alan Shimel woke to discover that his personal blog, which is frequented by countless peers and reporters, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and aired sensitive documents he filed with the Internal Revenue Service.

Oh, and while the miscreants were at it, they sent crude pornographic images to parents on the Little League baseball team Shimel coached.

The chief strategy officer for security firm StillSecure, Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. And logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.

To be sure, security researchers have always been the target of computer- and internet-based attacks. But the recent rash of attacks, which coincided with this year's Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.

"You can immediately see how emotional this is," said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. "People are generally worried. You're always worried you made some stupid mistake."

What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.

Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw.

Perhaps, but that doesn't make sense to us. XSS exploits typically allow you to enter restricted parts of a website without the benefit of a password. Whoever broke into Petkov's account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message. Petkov and Google were still investigating the breach, Petkov said Friday.

Others posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.

Still others guess that the miscreants gained entry through the victims' blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.

Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Ferris didn't return an email asking for comment.

The public attacks are the latest reminder that privacy on the internet is never guaranteed, even for those whose technical skills far surpass those of the average internet denizen.

"Personally, I don't keep any personal email on any webserver," said Jeremiah Grossman, CTO of White Hat Security and the only non-victim security researcher willing to be named in this story.

Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account.

"It's going to make me be a bit more vigilant," he said. "I don't think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure." ®

This story was updated to correct the spelling of Shimel's name.

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.