lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 2 Apr 2009 18:51:22 -0400
From: Robert Lemos <rlemos53@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Security Research Suggests Security Researchers
	Owned

Security Research Suggests Security Researchers Owned

Associated Press

A high percentage of active security researchers have been hacked, and
have their shit "pwnt", according to recent research by a
collaboration of security researchers. Malicious hackers, possibly
from China, are considered responsible for most cases. "It really goes
beyond just having our files compromised," security researcher Dan
Kaminsky told us, "they have our passwords, our nudes, our Instant
Messages, our e-mails, our Social Security Numbers, our addresses and
phone numbers, our financial and business information, our website
source codes, our girlfriends and our shoe sizes. These people have
everything, they really have total control over our lives."

Dan Kaminsky led a research team that included notable insecure
researchers Christien Rioux, Nate McFeters, Billy K. Rios, Petko D.
Petkov, and Dragos Ruiu. They pooled their resources to analyse just
how thoroughly they have been compromised. In an email response, Billy
K. Rios informed us that "pdp did some polling around the community.
Dragos wrote some scripts that did a lot of heavy analysis on our
machines and Nate was really good at distributing them and getting
results. Dan was all over the place, without him we wouldn't have
these graphs. And of course we all chipped in on the blogging."

According to Kaminsky, between the group of them, they have a
"shitload" of compromised files. "But it isn't just us," he continued,
"security researchers everywhere are at risk. We're some of the very
best at what we do, and even we cannot mitigrate all risk factors to
eliminate the potential for damage. My less experienced
contemporaries, like Halvar Flake, are really in no position to defend
themselves." As far as Dan could tell, "most of [the collaborating
team]" have been hacked in the past year. "This means that the average
security researcher has probably been hacked." Dan explained that the
Chinese are probably to blame, because of the forensic evidence
pointing in that direction. "These IPs are often Chinese. This is war,
war on the white man. It's like the Jewish holocaust, just it's a
whitehat holocaust."

If you are a prominent security researcher, what can you do help
yourself? Right now, not much, according to Kaminsky. "At my talk at
the Blackhat Briefings this summer I will explain how to subvert this
risk. Until then, the whitehats of the world need to talk to IOActive
about investing in their Comprehensive Computer Security Services."

When elaborating on the extent of damages that could be caused by
hackers, Dan explained that "they could make modifications to our
websites and could even write PHP code that would steal your password
when you log in and then send it back to a remote server of theirs.
This is why the use of secure salted asymmetric crytographic hashes is
important. That's an area that, based on our review of our machines,
is occasionally under-utilised. Hackers can do a lot more than just
steal our identities or purchase comic books on ebay with our credit
cards. They could scan our databases and use our resources to send
viruses, or use our websites as trusted sites to trick you into
downloading a virus. If you wait for my Blackhat talk, I will be
explaining these risks in full."

Billy K. Rios provided us with more details on how they became
interested in such innovative research areas. "We've been actively
monitoring and researching a number of hacker communication channels,
like the Full-Disclosure mailing list and some Internet Relay Chat
rooms. We've been watching packets, and those are always interesting.
Shiny, too. Between us, we pretty much hear everything. Due to our
diligent observations, we noticed some of our spools and passwords
have been shared amongst underground hackers. It seems some of root
passes were even traded for accounts on private torrent sites."

Real hackers were unavailable for comment.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ