Feeds

Security researchers' accounts ransacked in embarrasing hacklash

'War' aims to shame

Build a business case: developing custom apps

On Sunday morning, security consultant Alan Shimel woke to discover that his personal blog, which is frequented by countless peers and reporters, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and aired sensitive documents he filed with the Internal Revenue Service.

Oh, and while the miscreants were at it, they sent crude pornographic images to parents on the Little League baseball team Shimel coached.

The chief strategy officer for security firm StillSecure, Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. And logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.

To be sure, security researchers have always been the target of computer- and internet-based attacks. But the recent rash of attacks, which coincided with this year's Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.

"You can immediately see how emotional this is," said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. "People are generally worried. You're always worried you made some stupid mistake."

What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.

Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw.

Perhaps, but that doesn't make sense to us. XSS exploits typically allow you to enter restricted parts of a website without the benefit of a password. Whoever broke into Petkov's account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message. Petkov and Google were still investigating the breach, Petkov said Friday.

Others posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.

Still others guess that the miscreants gained entry through the victims' blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.

Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Ferris didn't return an email asking for comment.

The public attacks are the latest reminder that privacy on the internet is never guaranteed, even for those whose technical skills far surpass those of the average internet denizen.

"Personally, I don't keep any personal email on any webserver," said Jeremiah Grossman, CTO of White Hat Security and the only non-victim security researcher willing to be named in this story.

Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account.

"It's going to make me be a bit more vigilant," he said. "I don't think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure." ®

This story was updated to correct the spelling of Shimel's name.

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?