Dan Kaminsky & Kevin Mitnick Hacked

If any of you follow the mailings lists or the ‘scene’ as it’s known, you’d be familiar with PHC, Phrack, Gobbles, ~el8, Silvio, gayh1tler and the whole Whitehat Holocaust AKA pr0j3kt m4yh3m. (Back when it went public).

The war against whitehats has started up again more vehemently recently with zine known as zero for owned or ZFO.

The latest edition has just hit the streets with some really high profile hacks this time and a HUGE amount of information disclosure. They don’t release any exploits or code, but they do point out sections of certain apps that may be vulnerable. It’s an interesting read, especially the commentary.

You can find the full zf05.txt issue here:

zf05.txt – be warned it’s a 29,000 line text file.

The highest profile hacks must be of Mitnick and Kaminsky, as of now doxpara.com is still down.

Two noted security professionals were targeted this week by hackers who broke into their web pages, stole personal data and posted it online on the eve of the Black Hat security conference.

Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site.

The files taken from Kaminsky’s server included private e-mails between Kaminisky and other security researchers, highly personal chat logs, and a list of files he has purportedly downloaded that pertain to dating and other topics.

No one has ANY idea how long they’ve owned these boxes and been up your mailspoolz. Are they watching you, have they owned your box? If you’re a ‘notable’ whitehat, you speak at conferences and market yourself like a whore.

Most likely yes they are up in your shit.

One day they will rm -rf it and publish all your e-mails in the next edition of zfo zine.

The hacks also targeted other security professionals, and were apparently timed to coincide with the Black Hat and DefCon security conference in Las Vegas this week, where Kaminsky is unveiling new research on digital certificates and hash collisions.

Kaminsky made headlines last year for his Black Hat talk about vulnerabilities in the Domain Name System. He was accused by many in the security community of hyping the issue after he teased the topic in a press conference call a month before his talk without revealing details of the vulnerability, leading everyone to speculate on the nature of it. He was presented with a Pwnie award for Most Overhyped Bug and for “owning” the media.

The hackers criticized Mitnick and Kaminsky for using insecure blogging and hosting services to publish their sites, that allowed the hackers to gain easy access to their data.

Pretty scary stuff, considered all these self-proclaimed experts are having their own sites hacked. What hope do the rest of us mere mortals have?

Little to none, as always a skilled persistent attacker will ALWAYS get in.

A bunch of others got pwned too including hak5, Robert Lemos, Blackhat Forums, PerlMonks, Elite Hackers and BinRev (Binary Revolution).

Source: Wired (Thanks Navin)

Posted in: Exploits/Vulnerabilities, Hacking News


Latest Posts:

dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.

14 Responses to Dan Kaminsky & Kevin Mitnick Hacked

  1. Friedbeef August 3, 2009 at 11:34 am #

    You’re right…. what hope do we have if Mitnick is hackable?

  2. GZero August 3, 2009 at 12:22 pm #

    Mr Mitnick was at least sensible enough to keep personal info off his web facing servers. Our dear friend Dan Kaminsky was less well prepared.

    Every host hacked was running WordPress in some form or another. Funny hey.

  3. cbrp1r8 August 3, 2009 at 1:19 pm #

    lol, wordpress sploits….pfft, dime a dozen there…

    course the only safe computer is the one which is not connected… :D

  4. Navin August 3, 2009 at 2:31 pm #

    Just quoting from the text file:
    Dan Kaminsky is a noob. This guy does not know the first thing about security. His boxes were a crazy combination of half-updated shit, half-removed shit, half-installed shit, half-configured shit. The lack of things working properly actually blocked a bit of 0day. But Dan, do not go selling that as some kind of advanced defense – you provided us with plenty of local holes to exploit and root.

    Dan is a selfish jerkoff who is hated by the security industry and the
    underground alike. He’s fat and ugly in a way that only Gadi Evron could love. Is that hairy ass picture yours or ccg’s? Do we want to know?

    When Dan made a huge stink about DNS flaws about a year ago (July 2008) we knew we had to own him sooner or later. So we did. Him and his little whitehat bitch friends too.

    Dan cannot even administer a box, let alone preach security. He lacks all real legitimacy because he only hunts for flashy bugs that he can turn into a big story. This guy would be the least important character in any real security organization, the fatass past his prime (did Dan have a prime?) who obsesses over areas that no-one else wants to touch just so he can find a niche and avoid getting let go.

    One more thing: They claim they got Mitnick through his own game….. SOCIAL ENGINEERING!! That has to be the icing on the cake!!

    ZFO FTW!!

  5. Black of Hat August 4, 2009 at 5:26 am #

    So who is this Zero For Owned group? I have read two of their zines. But there seems to be a lack of information about the group itself. Surely they can’t be that well hideen underground.

  6. Sploo August 4, 2009 at 5:52 am #

    Yes, i believe they CAN be that hidden.

  7. SpiderM@N August 4, 2009 at 2:57 pm #
  8. null August 4, 2009 at 3:39 pm #

    can “they” hack a pfsense or openbsd router without open ports? just for web surfing, without servers listening?
    this is not a chalenge, it is just a question…

  9. katphyte August 4, 2009 at 7:53 pm #

    This just validates the fact that if you want something to stay secure, don’t ever put it on the web. And it’s more than just a little freaky when you think about the fact that the h ackers behind it probably did it just to see if they could. So what would a malicious attacker who is out for blood do?

    I’ll be the first one to say that no matter how much you know, there’s someone out there who knows more. Too much confidence in yourself can make you forget that you’re really just as vulnerable as the next person.

  10. lol @ null August 4, 2009 at 10:36 pm #

    @ null
    if the server does not accept connections on any ports. then no.

  11. Jeff Price August 5, 2009 at 4:42 pm #

    Is that really all that impressive? Mitnick’s strong points were Social Engineering and Buffer Overflows. Does it really surprise you? This isn’t the first time he’s been hacked. Hes even said too that there if no fool proof security, repeatedly in his books.

  12. id August 8, 2009 at 9:50 pm #

    “No one has ANY idea how long they

  13. Morgan Storey August 10, 2009 at 8:04 am #

    @Null: there could still be an 0-day in something you are using or the easiest target you, they could simply social engineer you to go to a site that drive by downloads something that then makes a connection out to them through your pfsense firewall. Nothing is unhackable, even un connected boxes have theoretical hacks bury it in concrete or destory it if you don’t want it to leak.

  14. Bogwitch August 11, 2009 at 11:40 am #

    I’ve got to agree with Morgan on this one. By far the easiest way to get behind a firewall is to abuse the wetware – the human – behind it. Either by redirecting to a malicious site or emailing a custom trojan.

    There is always the possibility to find a o-day in the firewall, where a malformed packet causes the firewall to barf and fall over in an open state, but that’s pretty unlikely, the leaks are usually from within.

    Also, there is the risk of information leaking from your system via other channels, assuming it’s worth an attackers effort – Google ‘tempest’