[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Security Research Suggests Security Researchers Owned

To: Razi Shaban <razishaban@xxxxxxxxx>
Subject: Re: [Full-disclosure] Security Research Suggests Security Researchers Owned
From: Robert Lemos <rlemos53@xxxxxxxxx>
Date: Thu, 2 Apr 2009 19:01:29 -0400

April Fools' Day is for jokes.

On 4/2/09, Razi Shaban <razishaban@xxxxxxxxx> wrote:
> April fools was two days ago
>
> On 4/3/09, Robert Lemos <rlemos53@xxxxxxxxx> wrote:
>> Security Research Suggests Security Researchers Owned
>>
>> Associated Press
>>
>> A high percentage of active security researchers have been hacked, and
>> have their shit "pwnt", according to recent research by a
>> collaboration of security researchers. Malicious hackers, possibly
>> from China, are considered responsible for most cases. "It really goes
>> beyond just having our files compromised," security researcher Dan
>> Kaminsky told us, "they have our passwords, our nudes, our Instant
>> Messages, our e-mails, our Social Security Numbers, our addresses and
>> phone numbers, our financial and business information, our website
>> source codes, our girlfriends and our shoe sizes. These people have
>> everything, they really have total control over our lives."
>>
>> Dan Kaminsky led a research team that included notable insecure
>> researchers Christien Rioux, Nate McFeters, Billy K. Rios, Petko D.
>> Petkov, and Dragos Ruiu. They pooled their resources to analyse just
>> how thoroughly they have been compromised. In an email response, Billy
>> K. Rios informed us that "pdp did some polling around the community.
>> Dragos wrote some scripts that did a lot of heavy analysis on our
>> machines and Nate was really good at distributing them and getting
>> results. Dan was all over the place, without him we wouldn't have
>> these graphs. And of course we all chipped in on the blogging."
>>
>> According to Kaminsky, between the group of them, they have a
>> "shitload" of compromised files. "But it isn't just us," he continued,
>> "security researchers everywhere are at risk. We're some of the very
>> best at what we do, and even we cannot mitigrate all risk factors to
>> eliminate the potential for damage. My less experienced
>> contemporaries, like Halvar Flake, are really in no position to defend
>> themselves." As far as Dan could tell, "most of [the collaborating
>> team]" have been hacked in the past year. "This means that the average
>> security researcher has probably been hacked." Dan explained that the
>> Chinese are probably to blame, because of the forensic evidence
>> pointing in that direction. "These IPs are often Chinese. This is war,
>> war on the white man. It's like the Jewish holocaust, just it's a
>> whitehat holocaust."
>>
>> If you are a prominent security researcher, what can you do help
>> yourself? Right now, not much, according to Kaminsky. "At my talk at
>> the Blackhat Briefings this summer I will explain how to subvert this
>> risk. Until then, the whitehats of the world need to talk to IOActive
>> about investing in their Comprehensive Computer Security Services."
>>
>> When elaborating on the extent of damages that could be caused by
>> hackers, Dan explained that "they could make modifications to our
>> websites and could even write PHP code that would steal your password
>> when you log in and then send it back to a remote server of theirs.
>> This is why the use of secure salted asymmetric crytographic hashes is
>> important. That's an area that, based on our review of our machines,
>> is occasionally under-utilised. Hackers can do a lot more than just
>> steal our identities or purchase comic books on ebay with our credit
>> cards. They could scan our databases and use our resources to send
>> viruses, or use our websites as trusted sites to trick you into
>> downloading a virus. If you wait for my Blackhat talk, I will be
>> explaining these risks in full."
>>
>> Billy K. Rios provided us with more details on how they became
>> interested in such innovative research areas. "We've been actively
>> monitoring and researching a number of hacker communication channels,
>> like the Full-Disclosure mailing list and some Internet Relay Chat
>> rooms. We've been watching packets, and those are always interesting.
>> Shiny, too. Between us, we pretty much hear everything. Due to our
>> diligent observations, we noticed some of our spools and passwords
>> have been shared amongst underground hackers. It seems some of root
>> passes were even traded for accounts on private torrent sites."
>>
>> Real hackers were unavailable for comment.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Security Research Suggests Security Researchers Owned
  - From: Robert Lemos
- Re: [Full-disclosure] Security Research Suggests Security Researchers Owned
  - From: Razi Shaban

Prev by Date: [Full-disclosure] Security Research Suggests Security Researchers Owned
Next by Date: Re: [Full-disclosure] Security Research Suggests Security Researchers Owned
Previous by thread: Re: [Full-disclosure] Security Research Suggests Security Researchers Owned
Next by thread: [Full-disclosure] [SECURITY] [DSA 1762-1] New icu packages fix cross site scripting
Index(es):
- Date
- Thread