Full Disclosure mailing list archives
Security Research Suggests Security Researchers Owned
From: Robert Lemos <rlemos53 () gmail com>
Date: Thu, 2 Apr 2009 18:51:22 -0400
Security Research Suggests Security Researchers Owned Associated Press A high percentage of active security researchers have been hacked, and have their shit "pwnt", according to recent research by a collaboration of security researchers. Malicious hackers, possibly from China, are considered responsible for most cases. "It really goes beyond just having our files compromised," security researcher Dan Kaminsky told us, "they have our passwords, our nudes, our Instant Messages, our e-mails, our Social Security Numbers, our addresses and phone numbers, our financial and business information, our website source codes, our girlfriends and our shoe sizes. These people have everything, they really have total control over our lives." Dan Kaminsky led a research team that included notable insecure researchers Christien Rioux, Nate McFeters, Billy K. Rios, Petko D. Petkov, and Dragos Ruiu. They pooled their resources to analyse just how thoroughly they have been compromised. In an email response, Billy K. Rios informed us that "pdp did some polling around the community. Dragos wrote some scripts that did a lot of heavy analysis on our machines and Nate was really good at distributing them and getting results. Dan was all over the place, without him we wouldn't have these graphs. And of course we all chipped in on the blogging." According to Kaminsky, between the group of them, they have a "shitload" of compromised files. "But it isn't just us," he continued, "security researchers everywhere are at risk. We're some of the very best at what we do, and even we cannot mitigrate all risk factors to eliminate the potential for damage. My less experienced contemporaries, like Halvar Flake, are really in no position to defend themselves." As far as Dan could tell, "most of [the collaborating team]" have been hacked in the past year. "This means that the average security researcher has probably been hacked." Dan explained that the Chinese are probably to blame, because of the forensic evidence pointing in that direction. "These IPs are often Chinese. This is war, war on the white man. It's like the Jewish holocaust, just it's a whitehat holocaust." If you are a prominent security researcher, what can you do help yourself? Right now, not much, according to Kaminsky. "At my talk at the Blackhat Briefings this summer I will explain how to subvert this risk. Until then, the whitehats of the world need to talk to IOActive about investing in their Comprehensive Computer Security Services." When elaborating on the extent of damages that could be caused by hackers, Dan explained that "they could make modifications to our websites and could even write PHP code that would steal your password when you log in and then send it back to a remote server of theirs. This is why the use of secure salted asymmetric crytographic hashes is important. That's an area that, based on our review of our machines, is occasionally under-utilised. Hackers can do a lot more than just steal our identities or purchase comic books on ebay with our credit cards. They could scan our databases and use our resources to send viruses, or use our websites as trusted sites to trick you into downloading a virus. If you wait for my Blackhat talk, I will be explaining these risks in full." Billy K. Rios provided us with more details on how they became interested in such innovative research areas. "We've been actively monitoring and researching a number of hacker communication channels, like the Full-Disclosure mailing list and some Internet Relay Chat rooms. We've been watching packets, and those are always interesting. Shiny, too. Between us, we pretty much hear everything. Due to our diligent observations, we noticed some of our spools and passwords have been shared amongst underground hackers. It seems some of root passes were even traded for accounts on private torrent sites." Real hackers were unavailable for comment. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Security Research Suggests Security Researchers Owned Robert Lemos (Apr 02)
- Re: Security Research Suggests Security Researchers Owned Razi Shaban (Apr 02)
- Re: Security Research Suggests Security Researchers Owned Robert Lemos (Apr 02)
- Re: Security Research Suggests Security Researchers Owned Razi Shaban (Apr 02)