Krebs: I know who hacked Ashley Madison
Plus: '123456' and 'password' are popular, er, passwords on the affairs-R-us website
It appears someone closely linked to the hacking gang that ransacked adultery website Ashley Madison has accidentally outed him or herself.
Investigative computer security journo Brian Krebs, with the help of pals, today named a Twitter user they believe is involved with Impact Team, which publicly leaked 33 million accounts from the Tinder-for-cheaters website. There's a $378,000 reward waiting for anyone who helps snare the cyber-gang.
Here are the clues and OPSEC fails that led Krebs to prolific tweeter Deuszu:
- Shortly after Impact Team told Krebs they had hacked AshleyMadison.com, and confidentially gave him a link pointing out where he could download a copy of the swiped databases, Deuszu tweeted the very same link. Krebs was apparently the first to learn of the website's compromise, so how else did Deuszu get hold of the same URL?
- When Impact Team was through ransacking the IT infrastructure of Ashley Madison and its parent Avid Life Media, the hackers left a message on one staffer's PC demanding the dismantlement of the website – and a copy of AC/DC's Thunderstruck playing in the background. Going through Deuszu's tweets, it appears the netizen is a fan of the Ozzie hard rock heroes, going as far as telling one organization he or she hacked in 2012: "Next time, it will be Thunderstruck. #ACDC"
- Deuszu also had Thunderstruck playing in a browser tab when he or she posted on Twitter a screenshot configuring “replication servers” to “get the show started.” This post was made 12 hours before Impact Team first contacted Krebs.
- A day before journalists spotted Impact Team had dumped the full databases on file-sharing networks, Deuszu tweeted a copy of the team's "time's up" statement that announced the leak.
- The tweeter also enjoys boasting of compromising and hijacking routers, networked cameras and printers, and websites.
"[Deuszu] — whoever and wherever he is in real life — may not have been directly involved in the Ashley Madison hack; he claims in several tweets that he was not part of the hack, but then in countless tweets he uses the royal 'We' when discussing the actions and motivations of the Impact Team," wrote Krebs on his blog, which delves further into the tweeter's Facebook profile and possible whereabouts.
"It is possible that Zu is instead a white hat security researcher or confidential informant who has infiltrated the Impact Team and is merely riding on their coattails or acting as their mouthpiece. But one thing is clear: If Zu wasn’t involved in the hack, he almost certainly knows who was."
Weak passwords, weak minds
In other developments, infosec researcher Dean Pierce has thrown a handful of GPUs at six million bcrypt-hashed account passwords from the leaked Ashley Madison databases, and cracked about 4,000 of them in five days. The most popular password was "123456" (202 of the 4,000), followed by "password" (105) and 12345 (99).
"Of the 4,007 cracked passwords, only 1,191 of them were unique," Pierce noted. "Maybe these passwords were all throwaways. It may also be infeasible to crack any given bcrypt password, but given enough users, it doesn't matter if passwords are bcrypted and salted, a ton of passwords are eventually going to pop out."
Finally, if you're sick and tired of endless coverage of the Ashley Madison scandal in the mainstream press, here's our handy roundup of everything newspaper, magazine and TV journos are dying to tell you. ®
Sponsored: Becoming a Pragmatic Security Leader