April fools was two days ago On 4/3/09, Robert Lemos <[email protected]> wrote: > Security Research Suggests Security Researchers Owned > > Associated Press > > A high percentage of active security researchers have been hacked, and > have their shit "pwnt", according to recent research by a > collaboration of security researchers. Malicious hackers, possibly > from China, are considered responsible for most cases. "It really goes > beyond just having our files compromised," security researcher Dan > Kaminsky told us, "they have our passwords, our nudes, our Instant > Messages, our e-mails, our Social Security Numbers, our addresses and > phone numbers, our financial and business information, our website > source codes, our girlfriends and our shoe sizes. These people have > everything, they really have total control over our lives." > > Dan Kaminsky led a research team that included notable insecure > researchers Christien Rioux, Nate McFeters, Billy K. Rios, Petko D. > Petkov, and Dragos Ruiu. They pooled their resources to analyse just > how thoroughly they have been compromised. In an email response, Billy > K. Rios informed us that "pdp did some polling around the community. > Dragos wrote some scripts that did a lot of heavy analysis on our > machines and Nate was really good at distributing them and getting > results. Dan was all over the place, without him we wouldn't have > these graphs. And of course we all chipped in on the blogging." > > According to Kaminsky, between the group of them, they have a > "shitload" of compromised files. "But it isn't just us," he continued, > "security researchers everywhere are at risk. We're some of the very > best at what we do, and even we cannot mitigrate all risk factors to > eliminate the potential for damage. My less experienced > contemporaries, like Halvar Flake, are really in no position to defend > themselves." As far as Dan could tell, "most of [the collaborating > team]" have been hacked in the past year. "This means that the average > security researcher has probably been hacked." Dan explained that the > Chinese are probably to blame, because of the forensic evidence > pointing in that direction. "These IPs are often Chinese. This is war, > war on the white man. It's like the Jewish holocaust, just it's a > whitehat holocaust." > > If you are a prominent security researcher, what can you do help > yourself? Right now, not much, according to Kaminsky. "At my talk at > the Blackhat Briefings this summer I will explain how to subvert this > risk. Until then, the whitehats of the world need to talk to IOActive > about investing in their Comprehensive Computer Security Services." > > When elaborating on the extent of damages that could be caused by > hackers, Dan explained that "they could make modifications to our > websites and could even write PHP code that would steal your password > when you log in and then send it back to a remote server of theirs. > This is why the use of secure salted asymmetric crytographic hashes is > important. That's an area that, based on our review of our machines, > is occasionally under-utilised. Hackers can do a lot more than just > steal our identities or purchase comic books on ebay with our credit > cards. They could scan our databases and use our resources to send > viruses, or use our websites as trusted sites to trick you into > downloading a virus. If you wait for my Blackhat talk, I will be > explaining these risks in full." > > Billy K. Rios provided us with more details on how they became > interested in such innovative research areas. "We've been actively > monitoring and researching a number of hacker communication channels, > like the Full-Disclosure mailing list and some Internet Relay Chat > rooms. We've been watching packets, and those are always interesting. > Shiny, too. Between us, we pretty much hear everything. Due to our > diligent observations, we noticed some of our spools and passwords > have been shared amongst underground hackers. It seems some of root > passes were even traded for accounts on private torrent sites." > > Real hackers were unavailable for comment. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
