Crackers publish hackers' private data
On the eve of the Black Hat security conference, crackers published a comprehensive text document in the underground magazine Zero for Owned (ZF0), containing masses of emails, chat records, passwords and other private information belonging to famous members of the security industry. Evidently they captured the data by breaching the web servers of Kevin Mitnick, Dan Kaminsky and Julien Tinners. They boast of having captured 75,000 clear-text passwords this way, most of them from the databases of the forum systems running on the affected servers.
The crackers explained their motivation on Dan Kaminsky's site, which has now been taken off-line. Kaminsky became known beyond the hacker scene last year for revealing an error in the DNS system. The crackers criticise the famous hackers for exaggerating security problems in the media in order to promote their own careers, accusing Kaminsky of only seeking bugs that the media will publicise and saying that Mitnick, who at one time was arrested for his hacks, is only living off the fame of yesteryear. Both are sneered at as lacking in specialist knowledge, as evidenced by these attacks. The authors of ZF0 also attack the close cooperation between the White Hat hackers and the industry, and condemn their responsible disclosure of the security vulnerabilities they find.
Kaminsky says the crackers only got hold of private or irrelevant material, and none of the information could lead to new attacks or exploits. Questioned by journalists, he said the hack looked more dangerous than it actually was ("it is just drama"). He said he didn't understand what was supposed to be so exciting about his love life and he wouldn't have had any problem with the hack if it had only dealt with technical details. A few hours after the hack he wrote on his Twitter page, "Messy, but heh. Walk onto a battlefield, you might get shot."
It still isn't clear how the crackers were able to get into the servers. With Kaminsky it was apparently a quick job, as the root password was claimed to contain only five characters, some passwords were easy to guess, and there was a zero-day vulnerability in a server component (no further details of which have been given). It's rumoured that this could be a security vulnerability in OpenSSH, but there are serious doubts about its existence. An article in the Register says Kevin Mitnick's server was cracked because the attackers were able to take over machines used by his web host and were then able to take control of Mitnick's site. Referring to Dan Kaminsky, Mitnick told The Register that he himself would never put sensitive documents on a computer with an internet connection, but others were evidently suffering from the "illusion of invulnerability".
- Hacker group declares war on the security industry, a report from The H.
- SSL flaw revealed at Black Hat, a report from The H.