If any of you follow the mailings lists or the ‘scene’ as it’s known, you’d be familiar with PHC, Phrack, Gobbles, ~el8, Silvio, gayh1tler and the whole Whitehat Holocaust AKA pr0j3kt m4yh3m. (Back when it went public).

The war against whitehats has started up again more vehemently recently with zine known as zero for owned or ZFO.

The latest edition has just hit the streets with some really high profile hacks this time and a HUGE amount of information disclosure. They don’t release any exploits or code, but they do point out sections of certain apps that may be vulnerable. It’s an interesting read, especially the commentary.

You can find the full zf05.txt issue here:

zf05.txt – be warned it’s a 29,000 line text file.

The highest profile hacks must be of Mitnick and Kaminsky, as of now doxpara.com is still down.

Two noted security professionals were targeted this week by hackers who broke into their web pages, stole personal data and posted it online on the eve of the Black Hat security conference.

Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site.

The files taken from Kaminsky’s server included private e-mails between Kaminisky and other security researchers, highly personal chat logs, and a list of files he has purportedly downloaded that pertain to dating and other topics.

No one has ANY idea how long they’ve owned these boxes and been up your mailspoolz. Are they watching you, have they owned your box? If you’re a ‘notable’ whitehat, you speak at conferences and market yourself like a whore.

Most likely yes they are up in your shit.

One day they will rm -rf it and publish all your e-mails in the next edition of zfo zine.

The hacks also targeted other security professionals, and were apparently timed to coincide with the Black Hat and DefCon security conference in Las Vegas this week, where Kaminsky is unveiling new research on digital certificates and hash collisions.

Kaminsky made headlines last year for his Black Hat talk about vulnerabilities in the Domain Name System. He was accused by many in the security community of hyping the issue after he teased the topic in a press conference call a month before his talk without revealing details of the vulnerability, leading everyone to speculate on the nature of it. He was presented with a Pwnie award for Most Overhyped Bug and for “owning” the media.

The hackers criticized Mitnick and Kaminsky for using insecure blogging and hosting services to publish their sites, that allowed the hackers to gain easy access to their data.

Pretty scary stuff, considered all these self-proclaimed experts are having their own sites hacked. What hope do the rest of us mere mortals have?

Little to none, as always a skilled persistent attacker will ALWAYS get in.

A bunch of others got pwned too including hak5, Robert Lemos, Blackhat Forums, PerlMonks, Elite Hackers and BinRev (Binary Revolution).

Source: Wired (Thanks Navin)

It just goes to show, however smart you think you are…don’t bother trying to wreck someones data. In this case, even if the guy was pissed it was highly responsible as it involved medical records and could actually seriously effect someones life.

He was pretty careful but left a few clues behind, more than enough for the FBI to catch him (computer names, printers installed etc.).

An IT manager who sought revenge for an unfavorable job evaluation was sentenced to more than five years in federal prison after being convicted of intentionally triggering a massive data collapse on his former employer’s computer network.

Jon Paul Oson, 38, of Chula Vista, California, was sentenced to 63 months behind bars and ordered to pay more than $409,000 in restitution, according to federal prosecutors in San Diego. He was immediately taken into custody after the sentence was handed down on Monday. It is one of the stiffest penalties ever for a computer hacking offense.

It’s a pretty huge sentence for hacking – 63 months or just over 5 years! As mentioned it’s one of the stiffest sentences ever for a computer related crime.

It did cause some serious losses though with a staggered disruption of data, as he was familiar with the backup system he could disable it then wait until the cycle had finished…then once the data was gone it was gone.

On December 23, Oson logged onto servers belonging to his former employer and disabled the program that automatically backed up medical records for thousands of low-income patients. Six days later, he logged on again, and in the span of 43 minutes, methodically deleted the files containing patients’ appointment data, medical charts and other information.

The dollar cost of Oson’s rampage was pegged at $409,337.83 and accounted for expenses for technical investigations and moving to a paper-based system in the weeks following the attack. But the real toll came when doctors at North County Health Services no longer had medical records for thousands of low-income patients who sought medical care. North County Health Services contracted with Oson’s employer to store the records.

Pretty scary that one guy has this kind of power, it just shows it doesn’t pay to annoy the BOFH! Anyway what he did was wrong and he’s getting what he deserved, I mean he didn’t even get canned he just got a bad evaluation.

Any thoughts on this?

Source: The Register

Gentoo Pulls the Plug after Getting Pwned

Gentoo pulled quite a few of it’s servers recently following the discovery of a fairly severe flaw in it’s systems.

Just to show that Linux systems aren’t invulnerable and immune to all security issues.

Ubuntu suffered quite heavily recently too, so don’t assume just because you use Linux you’re safe.

Admins with the Gentoo Project say they have disconnected major parts of its website a week after discovering it could be vulnerable to a command injection attack that allows bad guys to remotely execute code on the machine.

At time of writing, users trying to access Gentoo Archives and at least seven other areas of Gentoo.org got a message saying they were unavailable. Gentoo pulled the server hosting the sections “to prevent further exploitation and to allow for forensic analysis,” according to Gentoo’s homepage.

The words “further exploitation” and “forensic analysis” suggest the server was pwned, but Gentoo assures us the damage was minimal.

Not to say Linux is intrinsically unsafe either, you are definitely safer using Linux than Windows, especially if you don’t spend all your time using root.

Just be wary.

Members intend to rebuild the server and will also perform a security audit on source code for packages.gentoo.org, which is the service containing the injection vulnerability. According to this advisory, the vulnerability allows the remote execution of code by attaching a semicolon to the end of the URL, immediately followed by the command an attacker wants to run. The bottom of the page will then display the output of that command.

Gentoo’s advisory comes a week after Ubuntu unplugged five of its eight production servers following the discovery they had been so badly compromised that they were being used to attack other sites. Turns out the systems, which were sponsored by Canonical and hosted by the community, were running an old version of Ubuntu. Tsk, tsk.

The irony is…Gentoo servers are hosted on Ubuntu, old versions of Ubuntu with flaws!

Source: The Register

A while back Microsoft UK got hacked by some Saudi Hackers, Microsoft is always one of the top targets for renegades and ‘cyber-terrorists’ as the high profile nature of the company can give some publicity to their causes.

This was less than a month after Technet got owned.

I don’t think they are ever going to lay off MS.

Saudi hackers manged to deface a page on Microsoft’s UK web site last week, recording the techniques they used in an online video.

The software giant’s sites are periodically hit by acts of digital graffiti. In this case, however, the defacement gang unusually decided to document its attack.
Click here to find out more!

A video illustrating SQL Injection flaws affecting www.microsoft.co.uk, used to insert extra HTML code that formed the basis of the attack, was posted online. Details of how this might be done would be useful fodder for hackers so it shouldn’t come as any particular surprise to learn that the video (posted on unbase.com) was pulled over the weekend.

I’d say the site is still pretty insecure and is likely to get owned again.

According to Zone-h, microsoft.co.uk’s externally hosted website remains potentially vulnerable to Cross Site Scripting and SQL injection attacks. It bases this conclusion on debug errors generated by scripts on the site.

Microsoft.co.uk is run using IIS6 on a series on Windows 2003 servers, according to Netcraft. ®

You can see details of the defacement and the result at Zone-H here.

Source: The Register

It has happened quite a few times lately, politically tight situations, mistakes, data or information leaks and whoops damn…er…let’s blame it on hackers!

Case 1:

California Highway Patrol officials have opened a criminal investigation into “multiple” breaches and illegal downloads by outside hackers into the computers of Gov. Arnold Schwarzenegger’s office, after an embarrassing private taped conversation was leaked last week to the Los Angeles Times, administration officials told The Chronicle.

“There is an investigation conducted by the California Highway Patrol on how the tape obtained by the L.A. Times was acquired,” said a senior official who spoke on condition of anonymity. “This is a criminal matter that has been turned over to the CHP.”

Source: SFGate

Case 2:

The man responsible for Joe Lieberman’s campaign Web site said Tuesday that Joe2006.com was overwhelmed by traffic generated by hackers early Tuesday morning, forcing him to take the site off-line.

Tuesday’s attack was the third in the past month, said Dan Geary, who runs Lieberman’s site. But the earlier two attacks involved defacements & the hacker altered content on Lieberman’s home page. This time, attackers toppled the Lieberman site with requests, probably by directing an army of hacked computers at the site.

Source: MSN

So who do we believe?!

Haha, well serves them right, get out and get laid guys.

Online payment company iBill on Thursday said a massive cache of stolen consumer data uncovered by security experts did not come from its database.

“I’m the first person that would have taken this to the FBI and the first person to have gone on 60 Minutes to say ‘we screwed up,’ if that were the case,” said iBill President Gary Spaniak Jr.

Two caches of stolen data were discovered separately by two security companies while conducting routine research into malicious software online. Both had file names that purportedly linked them to iBill.

Losers..but well iBill seems to be off the hook anyway, could be part of a massive Phishing scam.

He says as long as iBill stays in business, it will try to repay those webmasters. “Over $20 million has been paid back, we have plans for paying back another $18 million.”

James says the actual source of the stolen data remains a mystery. An FBI spokeswoman says the bureau wouldn’t investigate the breach unless the source of the leak comes forward to make a complaint.

Source: Wired News