Tuesday, December 21, 2010

Gnosis Grabs Gawker Goodies

Earlier this month, hackers accessed and later released about 500MB of information from Gawker's commenter database as well as source code from the site, itself, which is home to about 1.5 million usernames, e-mails, and passwords. This breach and the subsequent cracking of the 200,000+ usersnames and passwords, which were encrypted with DES encryption, was carried out by a group known as Gnosis.1

A letter from Gnosis, the group claiming responsibility for the attack stated...

We went after Gawker because of their outright arrogance. It took us a few hours to find a way to dump all their source code and a bit longer to find a way into their database.
We found an interesting quote in their Campfire logs:
Hamilton N.: Nick Denton Says Bring It On 4Chan, Right to My Home Address (After
The Jump)
Ryan T.: We Are Not Scared of 4chan Here at 210 Elizabeth St NY NY 10012
I mean if you say things like that, and attack sites like 4chan (Which we are not affiliated to) you must at least have the means to back yourself up. We considered what action we would take, and decided that the Gawkmedia “empire” needs to be brought down a peg or two. Our groups mission? We don’t have one.
We will be releasing the full source code dump along with the database at 9PM GMT today. You are the only outlet we have told the release time.
We cannot provide any more information as to how the attack was carried out, because this could be used against us.
We have been cracking the database for about 17 hours and have managed to retrieve 273,789 passwords. If our release schedule wasn’t so tight we could get 500,000+. Included in the dump are passwords linked to accounts from Nasa, about every .gov domain you could imagine and hundreds from banks. One can only pray that they do not use the same password everywhere. The actual database size is 1,247,897 rows, which is 80+% of their database.
(Private data redacted)
We have had access to all of their emails for a long time as well as most of their infrastructure powering the site. Gawkmedia has possibly the worst security I have ever seen. It is scary how poor it is. Their servers run horribly outdated kernel versions, their site is filled with numerous exploitable code and their database is publicly accessible.
We will be releasing the full source code to their site as well as the full database dump later today or tomorrow, when we get enough press to stir up the release. We will also be releasing a text file describing Gawkers numerous security failings.

A follow-up email mentioned that...

On an interesting side note there are 2650 users in the database using the password “password” or “querty”. Of these users one is registered under a .gov email address, 3 are from a .mil addres and 52 are from .edu addresses. 

While the method of this attack is not in the scope of this current article, one thing is... a very scary but realistic fact. The odd thing about this attack was the simplicity of the passwords that were uncovered. At the top of the list was "123456", followed by "password"...<slaps forehead> and other SIMPLE, EASY TO GUESS passwords. This brings the glaring light of information security down to bear on Gawker and their security policies. How can these be allowed?


It's sad to note that 75 % of people reuse the same password for different accounts and.or services..3
What does this mean? Well, if a site is compromised and some one gets your username and password, chances are that that information will be used to as a potential entry point into other attacks.

When conducting a penetration test, I am surprised at how many people will use the same username or passwords on multiple systems. A password for an account with no access gotten off of a system will often be the same password for an Administrator or Root account on another. Things like that are good for the attacker or pen-tester, but bad for the system admin or the end user.

Is that password that you use to comment on widgets the same one that you use for Facebook?... Amazon?... your bank? Point taken? Good!

OK, OK, so what to do?

  • First, use a different password on EVERY site.
  • Use at least an 8 character password utilizing upper and lower case as well as numbers and special characters like "!", "@", "#" and "$"
  • Don't use passwords common to you like your birthdate, car model, anniversary, son's dog's name, etc.

3 http://www.securityweek.com/study-reveals-75-percent-individuals-use-same-password-social-networking-and-email

Thursday, November 25, 2010

Learning from the Past - "Happy Thanksgiving you turkeys"

Happy Thanksgiving! 

For those who had never heard, or may have forgotten, I decided to write about a Thanksgiving "hacker event" that took place in the 1980's, a time when I was getting involved with computers and was devouring everything that I could find on computers and their various topics. It was kind of like a "'Twas the night before Christmas" story but with presents that nobody wanted. 

Back on November 28, 1989 the technicians at WNET (Channel 13) in New York City were preparing for their annual Thanksgiving Day celebration when a message popped up on their computer screens.

"Happy Thanksgiving you turkeys from all of us at MOD". 

Actually, the full message read,

"Haha! You want to log in? Why? It's empty! HAHAHAHAHA! Happy Thanksgiving you turkeys, from all of us at MOD." 

This message would also be seen by teachers and librarians as well.

It was signed by: Phiber Optik, Acid Phreak, Outlaw, Corrupt and Scorpion, five members of the Masters of Deception. Later during an NBC News broadcast on November 14, 19901 , Phiber Optik, found out to be Mark Abene and Acid Phreak would take responsibilities for sending "the message".

Within hours, a mysterious group of computer hackers known as the Masters of Deception (MOD) had erased nearly all the information contained on a WNET educational network called the Learning Link.

Perception. Based upon the above information, what would be your perception of a hacker? Got it? OK, put a bookmark there and let's continue...

A later, separate, but related story1 that was taken from a U.S. Newswire on July 8, 1992, wrote of the MOD in an indictment that...

A computer hacker is someone who uses a computer or a telephone to obtain
unauthorized access to other computers.

As we have seen, hackers can often be their own worst enemy. One hacker that was interviewed on a separate occasion commented:
"It's not just winning that counts but making sure that everyone else loses." 2

People's perceptions of the hacker and hacker culture were being formed by things that were said and done by hackers and in at least the case referenced above, the legal profession.

You look at a person or group that is generally marked by intelligence, resourcefulness and curiosity and because of motivation and criminal activity ends up giving the entire group a black eye.

So what can be learned from the past?

For starters:
  1. Don't do anything illegal.
  2. Don't destroy data.
  3. Let your imagination and curiosity go.
  4. Examine your motivation... Since we are talking about the past, it'd be nice for people to revisit the days of MIT's TMRC and their Coke machine, etc. If you're not familiar with that, I'll leave that one to your own digging, but there is worthwhile reading in a lot of real "old school hacks" and what is, or should be the true motivation for people.

Anyway, Happy Thanksgiving!

Sunday, November 14, 2010

Simple SQL Sinks Cyber Security

TinKode injects his own plans after UK MoD spends £650m in new funding for cyber security.
Please see the full story here.

What's the moral of this story? Sometimes the most elaborate plans are foiled by a simple, fixable issue.

The second moral is that copycat criminals and script kiddies abound. Perform your own audits and see where your security is lacking and then fix it.

SQL injection? Seriously?!?!

Saturday, November 13, 2010

David Kernell, the "Sarah Palin Hacker" is Sentenced to 1 Year and 1 Month

Yesterday, November 12th, David Kernell, the former UT student was sentenced to 1 year and 1 day for 
breaking into Sarah Palin's email account by guessing the answers to her personal information and performing a password reset (to popcorn) of her Yahoo! mail account (gov.palin@yahoo.com). According to CBS News, "he had to correctly answer the question, "Where did you meet your spouse?" The correct answer was: "Wasilla High.""1

After gaining access to her account, he posted screen shots of his activity to 4chan.

Notable quotes from this and a related article...

  • "...has been sentenced to a year and a day with the judge recommending the term be served in a halfway house, not prison. "2

  • "In breaking into Palin's account, the F.B.I. said at the time that Kernell left an easy trail to follow." 3

  • Asked outside court if she thought the charges against Kernell were excessive, Palin said, "I don't know, but I do think there should be consequences for bad behavior." 4
Now, obviously, the legality of Mr. Kernell's actions aren't a subject for debate, but I would like to bring up a few interesting thoughts.

First, the prevalence of sites asking for personal information is pretty pervasive. Many sites will ask you  "What is your mother's maiden name?", "Where did you meet your spouse?" or "Who was your second grade teacher?" While the first question is pretty easy to find, people tend to overlook the plethora of information that is available on the Internet about themselves and tend to think that their favorite ice cream flavor or some other "personal" question is hard to "guess". Browsing through Tweets or Facebook posts would probaly provide the needed information for the attacker to be able to reset the target's password or at least obtain more information.

The second fact that I wanted to point out was from the audit trail left behind by Mr. Kernell posted evidence of  his exploits on 4chan's website. This seems to be typical for the "hacker" who's motivation is for the thrill of the conquest. The need for recognition points to this person committing this act for notoriety rather than financial gain or for political espionage.

Remember, "Loose lips, sink ships!" wasn't just a truism for World War II. A person shouldn't be the source of his opponent finding out information about him.

1 http://www.cbsnews.com/stories/2010/11/12/national/main7047981.shtml
2 Ibid
3 Ibid
4 http://www.cbsnews.com/stories/2010/04/23/politics/main6425263.shtml?source=related_story

Thursday, November 11, 2010

10 Riskiest Places to Give Out Your Social Security Number

I recently read an article that speaks about and lists the 10 Riskiest Places to Give Out Your Social Security Number. From colleges and banks to government to medical offices, the list runs the gamut or common places that you basically either have to use your social security number as an identifier or that your number is listed regularly on a variety of common forms, etc.

With the rise in identity theft and the convenience (to the companies) in mind, what's a person to do to protect yourself?

What can be done? For starters, regularly monitor your credit report for suspicious activity

Also, ask the company or agency that you are dealing with if your social security number is required. You'd be surprised at the responses that I've received what I asked if it's needed and they say, "No. That's just on there."

Getting and reading a copy of the company/agency/business' privacy and/or confidentiality policies helps understand what the company that you are dealing with is actually going to do with the information.

Of course, online identity protection and security could take a series of articles and is not covered in this story.

For more information on your Social Security Number and what to expect, you can check out this link.