Hackers Humble Security Experts

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,57229,00.html

By Brian McWilliams  
Jan. 16, 2003

A wisecracking group of hackers confirmed its claim this week that it 
spread an antipiracy virus was nothing but a hoax aimed at garnering 
fame. 

But members of the group, known as Gobbles Security, conceded that a 
program it released to demonstrate the problem was a Trojan horse 
capable of destroying files on the computers of unwary Unix users. 

Experts said the bizarre incident, which caused a brief frenzy among 
some security firms and fans of music file sharing, follows a grand 
tradition of pranks by the playful hacking group. 

"I think that the latest Gobbles advisory is genius," said Dave Aitel, 
head of Immunity Security, a security software and services provider. 
"Gobbles takes the piss out of all of us, and we need to respect and 
appreciate that." 

Gobbles' advisory said the Recording Association of America had 
contracted the hacking group to develop a hydra-like computer worm 
that has already spread widely by exploiting security vulnerabilities 
in several popular music programs. 

Gobbles claimed the antipiracy tool enabled the RIAA to create 
infected MP3 music files and distribute them through file-sharing 
networks, compromising and cataloging the infected systems. 

In an e-mail interview, Gobbles representatives admitted that they 
fabricated the RIAA claim to get attention. 

"The only excuse we can offer for our immaturity is that we like the 
fame," they said. 

An RIAA spokesperson also said Gobbles' claim that it's working for 
the trade association was a hoax, but the representative declined to 
comment on RIAA's technology-based antipiracy efforts. 

However, a security flaw described in the Gobbles warning was very 
real, according to Michael Hipp, developer of mpg123, a Unix-based MP3 
player cited in the advisory. 

Included with the Gobbles advisory was source code to a hacking 
program that exploits the security bug. The use of mpg123 to play 
special MP3 files created by the hacking program will delete files on 
the user's computer with the Unix command "rm -rf," Gobbles 
acknowledged. 

"If anyone was dumb enough to lose data because of this, they deserved 
it," wrote Gobbles representatives in an e-mail, which also noted that 
the program warned users before deleting their files. 

Dan Ingevaldson, an R&D manager at Internet Security Systems said 
Gobbles is "kind of an enigma" and is known to distribute both serious 
and frivolous advisories. But Ingevaldson said he always enjoys 
reading the group's bulletins, even though they sometimes poke fun at 
ISS. 

But to some in the security business, Gobbles' pranks and long-winded 
advisories -- often written in faux broken-English and containing 
diatribes about the industry -- have become tiring. 

"It's just a big waste of everyone's time.... It's about as useful as 
a bag of flaming dog doo on your doorstep," said Ryan Russell, author 
and former moderator of the Vuln-Dev security mailing list. 

Indeed, Gobbles' haughty attitude has made the group the target of 
recent attacks, especially after a Gobbles leader, who uses the alias 
Nwonknu, ridiculed members of the security industry in a rambling 
keynote address in August at the annual Defcon hacker convention in 
Las Vegas. 

The following month, a computer allegedly owned by Nwonknu was hacked, 
and some of its contents were anonymously posted to Full-Disclosure, a 
security mailing list, from the e-mail account 
bastedturkey () hushmail com. 

Then in October, someone forged hundreds of nonsensical messages to 
the list with the subject line "Poot ze-a cheekee in de-a oofee!" from 
Gobbles' e-mail address. The incident caused some list participants to 
call for a blockade of e-mails from the group. 

But some security experts said Gobbles' technical prowess gives the 
group a platform as the voice of conscience for the security industry. 

Mark Litchfield, co-founder of NGSSoftware, said he put up $275 in 
response to a public request last August by Gobbles for help with 
airfare to Defcon. 

According to Litchfield, Gobbles "knows (its) stuff" and shares its 
findings with the security community "instead of keeping all (its) 
advisories/exploits and sharing them privately with the black-hat 
community, which I would feel is a greater threat." 

In a jab at SecurityFocus, the Symantec-owned security firm that 
operates the popular Bugtraq mailing list, Gobbles registered the 
domain Bugtraq.org in 2001. Due to an apparent spate of attacks on the 
site (archived here), Gobbles' advisories have been mirrored at a site 
hosted by Aitel. According to Aitel, who said he has no other 
involvement with the group, Gobbles helps to keep the security 
industry's "huge egos" in check. 

"Gobbles teaches everyone the valuable lesson that no matter how elite 
we are, how rich we are, how many three letter agencies we have 
contracts with, how much of the Fortune 500 relies on us to keep their 
systems secure, someone out there is giggling at us," said Aitel. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.