[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Stories of pwnage



Apologies for cross-posting, however this list might be directly
interested in this story since the hackers who break in our servers
made extensive use of Tor.

-----

re all,

as some might have noticed or read, Dyne.org has been hacked and
lulled a few weeks ago by the crewz at Everyone Gets Owned

http://pastebin.com/NnJ19iPz

(beware the above is better read while playing your fav tunes of
 Autechre, Clock DVA, Ozric Tentacles, Chemical Broz or even NIN)

In the E.G.O. release there is an interesting range of informations
about the happy mess running in one of our public servers: you can
even use some of it to figure out some passwords and stuff. Damn.

While the l33t sp33ch in the zine sounds quite l4m3 (c'mon guys, its
2013, and happy new year!) the reader should be careful before judging
this as a scriptkid gig, because to our analysis it seems to be an
interesting hack. EGO crewz have used a 0-day vulnerability in the
wiki Moin Moin to gain shell access as www-data, something that
affected at that time a lot of more websites like the Debian wiki or
the Python wiki. Here are the details as released by the Moin Moin
crews: http://moinmo.in/SecurityFixes

As of now this is a rather serious vuln, patches are almost all out,
everyone should update. Our reaction to the discovery was simply to
inform Debian and MoinMoin privately, nothing else. We were anyway
honoured to see a 0-day burned like that on us. Wow :^)

The tech they used to gain the shell is quite serious, there is some
smart tunneling via Tor involved and cute moinexec.py shell, in
general a rather neat way to cut through our butter with a style that
looks better in code than in their z1n3 l33t sp33ch.
And they were also right in guessing that almost noone used Jaro Mail.

Ultimately the E.G.O. hackers have been kind on us and have not
bothered to damage or deface anything. Some people reported outage of
the dyne:bolic webpage on reddit
http://www.reddit.com/r/pwned/comments/15ay04/dynebolic_r00ted/
but that was pure coincidence since the dynebolic.org website is
hosted on another machine that had an harddisk failure right during
those days.

In their release they speak about having rooted kernel, vendor and
bugged our software with backdoors, but frankly that's not true. We
have crypto hashes and signatures of all the software we distribute
and controlling those everything matches. The server "Munir" which was
hacked had a lax security policy anyway because nothing really
critical was in there.... it also seems that E.G.O. crews haven't
bothered to do root escalation either, but then we might be just wrong
on that :^) and while our software users will still be safe, we'll
leave those hackers keep a shell on our server, why not. After all,
they seem to be able to get one anyway if they want.

In fact, just in case they like to step forward with us privately, we
are keen to have some exchange and even include part of their
interested members in our network (yes, we do have some private
mailinglists, you might have seen then by now).

At last, since as we mentioned the hack was done with proper tools and
as of now a 0-day was burned for the lulz, we offer a reward of
10.1337 Bitcoins to the E.G.O. hackers for releasing some of their
neat tools as free software, like the stuff they have used with
us... if you do, just publish a Bitcoin address on the next zine,
we'll pimp it up for your next golden teeth implant.

that's almost all folks! now lets talk politics :^) we leave you with
two quotes, the last one is a rather long text from the 5th issue of
the Zero For Owned zine titled "Summer of Ham" where some known
r0ckst4rs were hacked. Immediately below another short quote. All this
because we agree with the rant of the often marginalized, so called
"black hats": there are serious problems in the security industry,
that the hacker community at large should address, maybe is the time
to bash the hell out of the manager cast and their fck'd up hierarchy.

As Michael Abrash once wrote, quoting his colleague Gabe Newell:

 When he (Gabe Newell) looked into the history of the organization, he
 found that hierarchical management had been invented for military
 purposes, where it was perfectly suited to getting 1,000 men to march
 over a hill to get shot at. When the Industrial Revolution came
 along, hierarchical management was again a good fit, since the
 objective was to treat each person as a component, doing exactly the
 same thing over and over. [...]  Hierarchical management ...
 bottlenecks innovation through the people at the top of the
 hierarchy, and there's no reason to expect that those people would be
 particularly creative about coming up with new products that are
 dramatically different from existing ones - quite the opposite, in
 fact.

                                           |
                                       \       /            _\/_
     Industry check                      .-'-.              //o\  _\/_
                                    --  /     \  --           |   /o\\
  ^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~`
     We don't talk to police                                        |
       We don't make a peace bond

The security scene  is fucked. You have Dan  Kaminsky lecturing you on
how DNS poisoning  will destroy life as we know  it. You have Matasano
harvesting talent  and critiquing everyone,  and then Ptacek  can only
announce  the release  of....a graphical  firewall  management client.
There's kingcope  killing bugs and dropping  weaponized exploits while
making no  other contribution  except putting a  smile on the  face of
kiddies. There's  iDefense and their competitors  selling exploits and
only doing  research in how to  make more exploits.  There's Jeff Moss
running a  conference under the hideous  misnomer "Blackhat Briefings"
where the same researchers search  for glory and present the same shit
year after year. There are people who just live press release by press
release. And on top  of it all, somehow you STILL have  not got rid of
Kevin Mitnick.  The industry cares  about virtualization one  year and
iPhones the  next, every  year forgetting the  lessons it  should have
picked up in the last.

If you are just someone looking to  pay a fair price to not get owned,
you find  out quickly  that none  of these people  exist to  help you.
Very few people in this  industry have their income model based around
actually making you  more secure. At best, some of  them have it based
around convincing you that you are better off.
 
The  very concept  of "penetration  testing" is  fundamentally flawed.
The problem with  it is that the penetration tester  has a limited set
of targets they're allowed to attack, while a real attacker can attack
anything in order to  gain access to the site/box.  So if  a site on a
shared host is  being tested, just because site1.com  is "secure" that
does NOT in  anyway mean that the server  is secure, because site2.com
could easily be  vulnerable to all sorts of  simple attacks.  The time
constraint is another problem. A professional pentester with a week or
two to spend on a client's network may or may not get into everything.
A real  dedicated hacker making the  slog who spends a  month of eight
hour days WILL get into anything  they target. You're lucky if it even
takes him that long, really.

Those things should all be  very obvious, but whitehats still make the
mistake of discounting them. Look at Mitnick. Every time he gets owned
he blames his host or his  DNS provider. If he's getting owned through
them, that's still his fault.  Choosing a host is a security decision,
it's  just like  choosing a  password. If  you choose  a weak  one you
expose yourself.  It's still your fault.

It's   the   same   with   outsourcing   the   development   of   your
security-critical code.  Mitnick could get  someone else to make him a
flashy website,  and then blame them  when it is full  of file include
vulnerabilities.  People do this  all the  time, indirectly,  by using
ridiculous  CMS  or  blog  software.  As  an  easy  example,  look  at
Wordpress.  Even easier,  look  at Wordpress  in  2007.  Horrid.  When
considering Wordpress, a blackhat starts reading the PHP, shudders and
giggles, and then laughs at the idea  of ever using it on one of their
servers. A whitehat never gets  that far apparently, they just install
it  and  get  owned.  I  simply  fail  to  see  how  leading  security
researchers run  all kinds  of code that  is blatantly  dangerous. Are
they really that bad at reading code? Or do they just not care much if
their passwords end up on  Full Disclosure? If it's the second option,
why is that?  Why can these people make a living selling security when
they make such bad choices? How do they maintain legitimacy? They take
less responsibility for getting owned than do the people who they sell
services to.

There's a popular term for people who don't read code.
We call them script kiddies.

You cannot outsource  blame. You HAVE to take  responsibility for your
mistakes, whether they are mistakes in your code, mistakes in code you
are using, mistakes by your host,  or mistakes in who you trust. These
are all  security choices.  Learn to control  this shit. Learn  how to
read code.  A lot of the  time it only  takes a very shallow  audit to
realise that the code is crap and  is bound to have bugs. In a smarter
world,  security professionals get  paid to  stop people  from getting
owned. End of. These is no limit to the scope of an audit.

Are you professional  types really this out of touch?  I see all these
papers about how to protect yourself from these super-fucking-advanced
techniques and exploits that very few people can actually develop, and
most hackers will NEVER USE. It's the simple stuff that works now, and
will continue to work years into the future. Not only is it way easier
to dev for  simple mistakes, but they are easier to  find and are more
plentiful.
 
The  whole concept  of full-disclosure  has backfired.  It  will never
work. It's some slashdot hippie pipe dream. Even you dumbass corporate
types should recognize this. If  you're constantly giving away all the
vulnerabilites you  find, for *FREE*  mind you (and what  other industry
does that?), and the vulnerabilites  get harder and harder to find and
exploit, it will  get harder and harder for you all  to do your "job".
Frankly, I'm  surprised that the non-disclosure  movement didn't start
in  the security industry  in the  first place.  In a  way it  did, by
default.   With full-disclosure,  the security  industry is  all about
show and  gloat, it is not about  fixing anything. A lot  of bugs have
been fixed  from it, but it comes  with the price of  an industry that
likes to cripple itself. Projects  run by teams of trained monkeys are
always eager to add more bugs to replace those that have been fixed.

We hate  the industry because  it is full  of shit. There are  so many
trolls like Kaminsky who just  desperately search for anything new, to
get  attention.   So  many  talentless  buffoons trying  to  scam  the
planet.  A   lot  of   the  actual  talent   out  there   is  severely
misapplied. It's  an industry  tied to news  and not  results, because
very few  of you can  even attain results.  When you can't,  who's the
wiser? Your  customers can  hardly tell if  you have really  made them
more  secure  or  not.   Sometimes  there  are  superficial  benefits,
sometimes there aren't. How do you convince the customer that they are
more ZF0-safe than  before, if they were never  targetted and probably
never will  be? And you all lack  the legitimacy to really  do the job
you should anyways. We can only expose so many frauds, the rest of you
can pretend you have changed something.

Very few whitehats  actually go out there and  provide a service where
they make people more  secure. Not just for a day or  a month. Are you
genuinely fixing  the underlying design and logic  flaws that generate
security problems for your clients or customers? If you actually clean
up every exposed security flaw  they have, will they still be "secure"
in six months or a year?

We could go on. Just in general, the industry is failing.
Flat out failing.
You cannot even protect yourselves.

----------------------------------------------------------------------

-- 
http://jaromil.dyne.org
GPG: B2D9 9376 BFB2 60B7 601F 5B62 F6D3 FBD9 C2B6 8E39
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk