lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 3 Apr 2009 02:00:16 +0300
From: Razi Shaban <razishaban@...il.com>
To: Robert Lemos <rlemos53@...il.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Security Research Suggests Security
	Researchers Owned

April fools was two days ago

On 4/3/09, Robert Lemos <rlemos53@...il.com> wrote:
> Security Research Suggests Security Researchers Owned
>
> Associated Press
>
> A high percentage of active security researchers have been hacked, and
> have their shit "pwnt", according to recent research by a
> collaboration of security researchers. Malicious hackers, possibly
> from China, are considered responsible for most cases. "It really goes
> beyond just having our files compromised," security researcher Dan
> Kaminsky told us, "they have our passwords, our nudes, our Instant
> Messages, our e-mails, our Social Security Numbers, our addresses and
> phone numbers, our financial and business information, our website
> source codes, our girlfriends and our shoe sizes. These people have
> everything, they really have total control over our lives."
>
> Dan Kaminsky led a research team that included notable insecure
> researchers Christien Rioux, Nate McFeters, Billy K. Rios, Petko D.
> Petkov, and Dragos Ruiu. They pooled their resources to analyse just
> how thoroughly they have been compromised. In an email response, Billy
> K. Rios informed us that "pdp did some polling around the community.
> Dragos wrote some scripts that did a lot of heavy analysis on our
> machines and Nate was really good at distributing them and getting
> results. Dan was all over the place, without him we wouldn't have
> these graphs. And of course we all chipped in on the blogging."
>
> According to Kaminsky, between the group of them, they have a
> "shitload" of compromised files. "But it isn't just us," he continued,
> "security researchers everywhere are at risk. We're some of the very
> best at what we do, and even we cannot mitigrate all risk factors to
> eliminate the potential for damage. My less experienced
> contemporaries, like Halvar Flake, are really in no position to defend
> themselves." As far as Dan could tell, "most of [the collaborating
> team]" have been hacked in the past year. "This means that the average
> security researcher has probably been hacked." Dan explained that the
> Chinese are probably to blame, because of the forensic evidence
> pointing in that direction. "These IPs are often Chinese. This is war,
> war on the white man. It's like the Jewish holocaust, just it's a
> whitehat holocaust."
>
> If you are a prominent security researcher, what can you do help
> yourself? Right now, not much, according to Kaminsky. "At my talk at
> the Blackhat Briefings this summer I will explain how to subvert this
> risk. Until then, the whitehats of the world need to talk to IOActive
> about investing in their Comprehensive Computer Security Services."
>
> When elaborating on the extent of damages that could be caused by
> hackers, Dan explained that "they could make modifications to our
> websites and could even write PHP code that would steal your password
> when you log in and then send it back to a remote server of theirs.
> This is why the use of secure salted asymmetric crytographic hashes is
> important. That's an area that, based on our review of our machines,
> is occasionally under-utilised. Hackers can do a lot more than just
> steal our identities or purchase comic books on ebay with our credit
> cards. They could scan our databases and use our resources to send
> viruses, or use our websites as trusted sites to trick you into
> downloading a virus. If you wait for my Blackhat talk, I will be
> explaining these risks in full."
>
> Billy K. Rios provided us with more details on how they became
> interested in such innovative research areas. "We've been actively
> monitoring and researching a number of hacker communication channels,
> like the Full-Disclosure mailing list and some Internet Relay Chat
> rooms. We've been watching packets, and those are always interesting.
> Shiny, too. Between us, we pretty much hear everything. Due to our
> diligent observations, we noticed some of our spools and passwords
> have been shared amongst underground hackers. It seems some of root
> passes were even traded for accounts on private torrent sites."
>
> Real hackers were unavailable for comment.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ