Jaromil on Tue, 15 Jan 2013 12:11:40 +0100 (CET)



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Stories of pwnage

To: nettime-l <nettime-l@kein.org>

Subject: <nettime> Stories of pwnage

From: Jaromil <jaromil@dyne.org>

Date: Tue, 15 Jan 2013 11:18:09 +0100

Organization: Dyne.org - http://www.dyne.org

User-agent: Jaro Mail (http://jaromail.dyne.org)

re all, as some might have noticed or read, Dyne.org has been hacked and lulled a few weeks ago by the crewz at Everyone Gets Owned http://pastebin.com/NnJ19iPz (beware the above is better read while playing your fav tunes of Autechre, Clock DVA, Ozric Tentacles, Chemical Broz or even NIN) In the E.G.O. release there is an interesting range of informations about the happy mess running in one of our public servers: you can even use some of it to figure out some passwords and stuff. Damn. While the l33t sp33ch in the zine sounds quite l4m3 (c'mon guys, its 2013, and happy new year!) the reader should be careful before judging this as a scriptkid gig, because to our analysis it seems to be an interesting hack. EGO crewz have used a 0-day vulnerability in the wiki Moin Moin to gain shell access as www-data, something that affected at that time a lot of more websites like the Debian wiki or the Python wiki. Here are the details as released by the Moin Moin crews: http://moinmo.in/SecurityFixes As of now this is a rather serious vuln, patches are almost all out, everyone should update. Our reaction to the discovery was simply to inform Debian and MoinMoin privately, nothing else. We were anyway honoured to see a 0-day burned like that on us. Wow :^) The tech they used to gain the shell is quite serious, there is some smart tunneling via Tor involved and cute moinexec.py shell, in general a rather neat way to cut through our butter with a style that looks better in code than in their z1n3 l33t sp33ch. And they were also right in guessing that almost noone used Jaro Mail. Ultimately the E.G.O. hackers have been kind on us and have not bothered to damage or deface anything. Some people reported outage of the dyne:bolic webpage on reddit http://www.reddit.com/r/pwned/comments/15ay04/dynebolic_r00ted/ but that was pure coincidence since the dynebolic.org website is hosted on another machine that had an harddisk failure right during those days. In their release they speak about having rooted kernel, vendor and bugged our software with backdoors, but frankly that's not true. We have crypto hashes and signatures of all the software we distribute and controlling those everything matches. The server "Munir" which was hacked had a lax security policy anyway because nothing really critical was in there.... it also seems that E.G.O. crews haven't bothered to do root escalation either, but then we might be just wrong on that :^) and while our software users will still be safe, we'll leave those hackers keep a shell on our server, why not. After all, they seem to be able to get one anyway if they want. In fact, just in case they like to step forward with us privately, we are keen to have some exchange and even include part of their interested members in our network (yes, we do have some private mailinglists, you might have seen then by now). At last, since as we mentioned the hack was done with proper tools and as of now a 0-day was burned for the lulz, we offer a reward of 10.1337 Bitcoins to the E.G.O. hackers for releasing some of their neat tools as free software, like the stuff they have used with us... if you do, just publish a Bitcoin address on the next zine, we'll pimp it up for your next golden teeth implant. that's almost all folks! now lets talk politics :^) we leave you with two quotes, the last one is a rather long text from the 5th issue of the Zero For Owned zine titled "Summer of Ham" where some known r0ckst4rs were hacked. Immediately below another short quote. All this because we agree with the rant of the often marginalized, so called "black hats": there are serious problems in the security industry, that the hacker community at large should address, maybe is the time to bash the hell out of the manager cast and their fck'd up hierarchy. As Michael Abrash once wrote, quoting his colleague Gabe Newell: When he (Gabe Newell) looked into the history of the organization, he found that hierarchical management had been invented for military purposes, where it was perfectly suited to getting 1,000 men to march over a hill to get shot at. When the Industrial Revolution came along, hierarchical management was again a good fit, since the objective was to treat each person as a component, doing exactly the same thing over and over. [...] Hierarchical management ... bottlenecks innovation through the people at the top of the hierarchy, and there's no reason to expect that those people would be particularly creative about coming up with new products that are dramatically different from existing ones - quite the opposite, in fact. | \ / _\/_ Industry check .-'-. //o\ _\/_ -- / \ -- | /o\\ ^^~^~^~^~^~^~^~^~~^~^~^~^~^~^~^~^~^~^-=======-~^~~^^~~^~^~^~|~~^~^|^~` We don't talk to police | We don't make a peace bond The security scene is fucked. You have Dan Kaminsky lecturing you on how DNS poisoning will destroy life as we know it. You have Matasano harvesting talent and critiquing everyone, and then Ptacek can only announce the release of....a graphical firewall management client. There's kingcope killing bugs and dropping weaponized exploits while making no other contribution except putting a smile on the face of kiddies. There's iDefense and their competitors selling exploits and only doing research in how to make more exploits. There's Jeff Moss running a conference under the hideous misnomer "Blackhat Briefings" where the same researchers search for glory and present the same shit year after year. There are people who just live press release by press release. And on top of it all, somehow you STILL have not got rid of Kevin Mitnick. The industry cares about virtualization one year and iPhones the next, every year forgetting the lessons it should have picked up in the last. If you are just someone looking to pay a fair price to not get owned, you find out quickly that none of these people exist to help you. Very few people in this industry have their income model based around actually making you more secure. At best, some of them have it based around convincing you that you are better off. The very concept of "penetration testing" is fundamentally flawed. The problem with it is that the penetration tester has a limited set of targets they're allowed to attack, while a real attacker can attack anything in order to gain access to the site/box. So if a site on a shared host is being tested, just because site1.com is "secure" that does NOT in anyway mean that the server is secure, because site2.com could easily be vulnerable to all sorts of simple attacks. The time constraint is another problem. A professional pentester with a week or two to spend on a client's network may or may not get into everything. A real dedicated hacker making the slog who spends a month of eight hour days WILL get into anything they target. You're lucky if it even takes him that long, really. Those things should all be very obvious, but whitehats still make the mistake of discounting them. Look at Mitnick. Every time he gets owned he blames his host or his DNS provider. If he's getting owned through them, that's still his fault. Choosing a host is a security decision, it's just like choosing a password. If you choose a weak one you expose yourself. It's still your fault. It's the same with outsourcing the development of your security-critical code. Mitnick could get someone else to make him a flashy website, and then blame them when it is full of file include vulnerabilities. People do this all the time, indirectly, by using ridiculous CMS or blog software. As an easy example, look at Wordpress. Even easier, look at Wordpress in 2007. Horrid. When considering Wordpress, a blackhat starts reading the PHP, shudders and giggles, and then laughs at the idea of ever using it on one of their servers. A whitehat never gets that far apparently, they just install it and get owned. I simply fail to see how leading security researchers run all kinds of code that is blatantly dangerous. Are they really that bad at reading code? Or do they just not care much if their passwords end up on Full Disclosure? If it's the second option, why is that? Why can these people make a living selling security when they make such bad choices? How do they maintain legitimacy? They take less responsibility for getting owned than do the people who they sell services to. There's a popular term for people who don't read code. We call them script kiddies. You cannot outsource blame. You HAVE to take responsibility for your mistakes, whether they are mistakes in your code, mistakes in code you are using, mistakes by your host, or mistakes in who you trust. These are all security choices. Learn to control this shit. Learn how to read code. A lot of the time it only takes a very shallow audit to realise that the code is crap and is bound to have bugs. In a smarter world, security professionals get paid to stop people from getting owned. End of. These is no limit to the scope of an audit. Are you professional types really this out of touch? I see all these papers about how to protect yourself from these super-fucking-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. It's the simple stuff that works now, and will continue to work years into the future. Not only is it way easier to dev for simple mistakes, but they are easier to find and are more plentiful. The whole concept of full-disclosure has backfired. It will never work. It's some slashdot hippie pipe dream. Even you dumbass corporate types should recognize this. If you're constantly giving away all the vulnerabilites you find, for *FREE* mind you (and what other industry does that?), and the vulnerabilites get harder and harder to find and exploit, it will get harder and harder for you all to do your "job". Frankly, I'm surprised that the non-disclosure movement didn't start in the security industry in the first place. In a way it did, by default. With full-disclosure, the security industry is all about show and gloat, it is not about fixing anything. A lot of bugs have been fixed from it, but it comes with the price of an industry that likes to cripple itself. Projects run by teams of trained monkeys are always eager to add more bugs to replace those that have been fixed. We hate the industry because it is full of shit. There are so many trolls like Kaminsky who just desperately search for anything new, to get attention. So many talentless buffoons trying to scam the planet. A lot of the actual talent out there is severely misapplied. It's an industry tied to news and not results, because very few of you can even attain results. When you can't, who's the wiser? Your customers can hardly tell if you have really made them more secure or not. Sometimes there are superficial benefits, sometimes there aren't. How do you convince the customer that they are more ZF0-safe than before, if they were never targetted and probably never will be? And you all lack the legitimacy to really do the job you should anyways. We can only expose so many frauds, the rest of you can pretend you have changed something. Very few whitehats actually go out there and provide a service where they make people more secure. Not just for a day or a month. Are you genuinely fixing the underlying design and logic flaws that generate security problems for your clients or customers? If you actually clean up every exposed security flaw they have, will they still be "secure" in six months or a year? We could go on. Just in general, the industry is failing. Flat out failing. You cannot even protect yourselves. ---------------------------------------------------------------------- -- http://jaromil.dyne.org GPG: B2D9 9376 BFB2 60B7 601F 5B62 F6D3 FBD9 C2B6 8E39 # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime@kein.org