Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.
Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. Logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.
It is not new that security researchers have always been the target of computer and internet based attacks. But the recent rash of attacks, which coincided with this year’s Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.
“You can immediately see how emotional this is,” said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. “People are generally worried. You’re always worried you made some stupid mistake.”
Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago.
Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account. “It’s going to make me be a bit more vigilant,” he said. “I don’t think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure.”
What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.
Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw. Some posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.
Others guess that the miscreants gained entry through the victims’ blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.
Credit: Dan Goodin, The Register.
More on CyberInsecure: