Security researchers' accounts ransacked in embarrasing hacklash
'War' aims to shame
On Sunday morning, security consultant Alan Shimel woke to discover that his personal blog, which is frequented by countless peers and reporters, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and aired sensitive documents he filed with the Internal Revenue Service.
Oh, and while the miscreants were at it, they sent crude pornographic images to parents on the Little League baseball team Shimel coached.
The chief strategy officer for security firm StillSecure, Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. And logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.
To be sure, security researchers have always been the target of computer- and internet-based attacks. But the recent rash of attacks, which coincided with this year's Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.
"You can immediately see how emotional this is," said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. "People are generally worried. You're always worried you made some stupid mistake."
What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.
Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw.
Perhaps, but that doesn't make sense to us. XSS exploits typically allow you to enter restricted parts of a website without the benefit of a password. Whoever broke into Petkov's account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message. Petkov and Google were still investigating the breach, Petkov said Friday.
Others posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.
Still others guess that the miscreants gained entry through the victims' blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.
Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Ferris didn't return an email asking for comment.
The public attacks are the latest reminder that privacy on the internet is never guaranteed, even for those whose technical skills far surpass those of the average internet denizen.
"Personally, I don't keep any personal email on any webserver," said Jeremiah Grossman, CTO of White Hat Security and the only non-victim security researcher willing to be named in this story.
Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account.
"It's going to make me be a bit more vigilant," he said. "I don't think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure." ®
This story was updated to correct the spelling of Shimel's name.
TypePad does *not* have the security holes that WordPress does.
Dan, you say, "Still others guess that the miscreants gained entry through the victims' blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes."
This is false, and you should know better. The results from the Pwnie awards to the IBM X-Force report to the U.S. Department of Homeland Security's reports all list WordPress among the least secure applications of any kind, not just web apps. TypePad is nowhere to be found on those lists, because it's consistently been extremely secure and reliable for our users.
Re: Outsourced email doesn't need to imply lax security
Hi William. You are quite right. Security is a risk assessment. Suffering a DoS is likely a lot less damaging than having information stolen though. The DoS will end but stolen information is gone forever.
I use alpine to read my mail and the only way to my MTA is to authenticate ssh using RSA keys. The box is locked behind a firewall too. Yes I could suffer a loss of availability or utility but I have assessed the risk and determined that it is a good trade-off.
I'm a sysadmin who takes a lot of notice of security (as all sysadmins should, imho) and I was really surprised to see these security researchers making such basic mistakes.
In passing ...
// modify 10 if you want longer/shorter password
// add to 62 if you also include symbols in your array