News:

Living proof that any damn fool can make things more complex

Main Menu

ATTN Cain: OFUK, the Internet is here.

Started by Telarus, February 12, 2011, 02:04:33 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions

Telarus

February 12, 2011, 02:04:33 AM
How one man tracked down Anonymous—and paid a heavy price
http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars/

QuoteAaron Barr believed he had penetrated Anonymous. The loose hacker collective had been responsible for everything from anti-Scientology protests to pro-Wikileaks attacks on MasterCard and Visa, and the FBI was now after them. But matching their online identities to real-world names and locations proved daunting. Barr found a way to crack the code.

In a private e-mail to a colleague at his security firm HBGary Federal, which sells digital tools to the US government, the CEO bragged about his research project.

"They think I have nothing but a heirarchy based on IRC [Internet Relay Chat] aliases!" he wrote. "As 1337 as these guys are suppsed to be they don't get it. I have pwned them! :)"

But had he?

"We are kind of pissed at him right now"


Telarus, KSC,
.__.  Keeper of the Contradictory Cephalopod, Zenarchist Swordsman,
(0o)  Tender to the Edible Zen Garden, Ratcheting Metallic Sex Doll of The End Times,
/||\   Episkopos of the Amorphous Dreams Cabal

Join the Doll Underground! Experience the Phantasmagorical Safari!

Cain

#1
February 12, 2011, 01:40:00 PM
I read about this in relation to Glenn Greenwald.

It looks like a major private security firm working in alliance with a group linked to the Chamber of Commerce were paid by the Bank of America to come up with a plan to neutralize both Anonymous and major supporters of Wikileaks in the media, such as Greenwald, to further a delegitimization of Wikileaks as a whole.

This is a major fucking scoop.

Sister Fracture

#2
February 12, 2011, 04:18:51 PM
That article put a smile on my face. :)
Roaring Berserkery Bunny of the North End™

A Tucsonite is like a Christian in several important ways.  For one thing, they believe what they say about their god in the most literal, straightfaced way possible.  For another, they both know their god can hear them.  The difference between the two, however, is quite vast in terms of their relationship with their god; Christians believe in His benevolence, but Tucsonites KNOW of The City's spite and hate.

Nephew Twiddleton

#3
February 12, 2011, 05:07:04 PM
I like it how it never once entered this dude's mind that it was probably a really bad idea, as his coder told him repeatedly.
Strange and Terrible Organ Laminator of Yesterday's Heavy Scene
Sentence or sentence fragment pending

Soy El Vaquero Peludo de Oro

TIM AM I, PRIMARY OF THE EXTRA-ATMOSPHERIC SIMIANS

Eater of Clowns

#4
February 12, 2011, 05:42:34 PM
Wow this was a really interesting story.  :)
Quote from: Pippa Twiddleton on December 22, 2012, 01:06:36 AM
EoC, you are the bane of my existence.

Quote from: The Good Reverend Roger on March 07, 2014, 01:18:23 AM
EoC doesn't make creepy.

EoC makes creepy worse.

Quote
the afflicted persons get hold of and consume carrots even in socially quite unacceptable situations.

Juana

#5
February 12, 2011, 10:40:50 PM
Quote from: Doktor Blight on February 12, 2011, 05:07:04 PM
I like it how it never once entered this dude's mind that it was probably a really bad idea, as his coder told him repeatedly.
His picture suggests he's a smug little fucker who thinks he can get away from these kinds of things.
"I dispose of obsolete meat machines.  Not because I hate them (I do) and not because they deserve it (they do), but because they are in the way and those older ones don't meet emissions codes.  They emit too much.  You don't like them and I don't like them, so spare me the hysteria."

Jasper

#6
February 12, 2011, 10:45:58 PM
To fuck around with 4chan is truly an act of hubris.  Ever thus to media moguls.

Disco Pickle

#7
February 13, 2011, 12:00:42 AM
so I did finally dig into this and I have to say..  what a fucking dumbass.  I applaud everything that's happened to him.

he made his bed. 
"Events in the past may be roughly divided into those which probably never happened and those which do not matter." --William Ralph Inge

"sometimes someone confesses a sin in order to take credit for it." -- John Von Neumann

Pæs

#8
February 13, 2011, 12:09:56 AM
I really like the IRC logs, where he comes in to, once again, let Anonymous know that they've broken the law... still failing to understand his position there.

Triple Zero

#9
February 14, 2011, 04:28:41 PM
Also, this is the social engineering they pulled to get root on rootkit.com:

http://dazzlepod.com/site_media/txt/rootkit.com.txt

Classic textbook social engineering.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

LMNO

#10
February 14, 2011, 04:32:09 PM
Quote from: Triple Zero on February 14, 2011, 04:28:41 PM
Also, this is the social engineering they pulled to get root on rootkit.com:

http://dazzlepod.com/site_media/txt/rootkit.com.txt

Classic textbook social engineering.

That was disturbingly easy.

Requia ☣

#11
February 14, 2011, 05:16:56 PM
They don't allow remote root but root superuser works?  WTF?

Also the complete and utter lack of wetware control is kinda scary, no way in hell would I reset a password to what they requested unless they were standing in front of me (and I knew them personally).  Password resets are random and go over encrypted emails ffs.
Inflatable dolls are not recognized flotation devices.

Triple Zero

#12
February 14, 2011, 06:02:01 PM
Quote from: LMNO, PhD on February 14, 2011, 04:32:09 PM
Quote from: Triple Zero on February 14, 2011, 04:28:41 PM
Also, this is the social engineering they pulled to get root on rootkit.com:

http://dazzlepod.com/site_media/txt/rootkit.com.txt

Classic textbook social engineering.

That was disturbingly easy.

Keep in mind that the hacker already managed to send email from greg@hbgary.com , helps on the credibility part.

HOWEVER, doing that is really easy and requires no "real hacking" whatsoever. The email protocol specifies you can write whatever you like in the "From:" field in an email header. Sometimes your ISP would block emails with a different host domain in the header, but I found just as often they don't.

It is relatively easy to detect though. Most email clients have a "view source" or "display all headers" option, if you do that, and know what you're looking at, it'll be obvious something's not right.

But then, if the recipient has no reason to suspect foul play, he's never going to know.

So in this case, I don't know if the hacker has already read other bits of Greg Hoglund's writing, since he's transmitting a very distinct tone of voice and writing style (lowercase "im", "or something vague", etc), also mentioning those two other root passwords ("jabberwocky" in l33t, really?).

Or maybe he's just assuming that this Jussi never really talked to Greg before and is bluffing really, really hard. But in that case, a bell would ring for any sysadmin worth their salt and they'd check a few things or other.

Which is why the hacker used the "I'm in a rush" gambit.

If you like these sorts of things, check out the classic "Art of Deception" by Kevin Mitnick and another book called "Low Tech Hacking" (or Lo-Tech, I forget--I believe it was in one of the large book collections posted many years ago, both of them possibly, but you can find AoD simply by Googling a bit, even though it's copyrighted, loads of hacker websites have it up as text format)

Oh and of course it could also be that the hacker had indeed already hacked Greg's email account and is not just faking the header.

Either way, these mistakes should definitely NOT be made by companies that are pretty much in the business of educating other companies how NOT to make these mistakes (which is probably the No.1 task of most security consulting agencies).

So yeah, if this hack really did cost HBGary millions of dollars (releasing 60k emails and a corporate database full of sensitive non-disclosure-agreement data can do that), Anonymous definitely did a public service. Cause the US gov was wasting loads of tax dollars on these schmucks. As well as their future non-government clients are better off for not going into business with these charlatans.

Only thing that I personally consider unethical about it (not talking about legality here) is that the leaks contain NDA data from other companies. They didn't do anything wrong, and any damage there is collateral. Not very nice of Anonymous, but it spells the end for HBGary since NDA is nothing to fuck with, and it was their responsibility to keep that data safe (come on, a security company getting owned like this, I still can't believe it) and the NDA contracts probably don't have an "unless you get 0wned by Anonymous" clause.

Quote from: Requia ☣ on February 14, 2011, 05:16:56 PMAlso the complete and utter lack of wetware control is kinda scary, no way in hell would I reset a password to what they requested unless they were standing in front of me (and I knew them personally).  Password resets are random and go over encrypted emails ffs.

You seem to gloss over the social engineering aspects a littlebit.

While I agree with LMNO that it seemed disturbingly easy, after reading Cialdini's Influence, I'm very hesitant to say things like "no way in hell [I would fall for that]". Book quotes some interesting statistics about people saying "no way I would fall for that" about the typical psychological influence tricks. When faced with such a situation a bit later on, unexpectedly and in a (set up) real life scenario, they are still very likely to fall for it. Admittedly, less so than people that did not boast their resilience, but it was more like they fell for it 90% and the sure-of-themselves crowd still a fat 75%. More than enough for me to stop thinking "Ha! I'd never do something that dumb".

See, what you're forgetting is that this is his BOSS emailing him, and he is in a HURRY. Apparently that was enough for this guy to drop protocol (if there was any). And before you say you'd never drop protocol no matter what somebody would say, re-read the above paragraph :)

If you're just counting on your natural resilience against social engineering, you're going to fall into the 75% category. The only way to do better than that is training. Real simple, just some basic exercises where somebody asks for the password and you say "no" :) Best if they're obviously not real, not your actual boss's name, not even the same company cause that way they won't get mixed up for the real thing (remember all the movie plots where *whatever* got exploited or broken into because of a faked training exercise or fire drill? yeah). You just need to take your mind through the movements a few times, so it etches out the pattern.

Anybody who worked in a call-center probably has done similar exercises (training). Often even with hired actors.

Really really good security consultancy firms provide this sort of training. But it's hard to sell, so it's not much of them. The bullshit spouted by Aaron Barr sells a lot better.
Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Requia ☣

#13
February 14, 2011, 06:09:45 PM
I have been in that same situation, so no, I'm not speculating.
Inflatable dolls are not recognized flotation devices.

Requia ☣

#14
February 14, 2011, 06:19:00 PM
Also, you don't need proper training for this, what you need is a password reset policy for the employee to hide behind.  Hell with proper policy that SE attack isn't even possible, the guy would have switched over to encrypted emails and locked the attacker out of the conversation.
Inflatable dolls are not recognized flotation devices.
Print
Go Up Pages1 2 3
User actions