back to article Security researchers' accounts ransacked in embarrasing hacklash

On Sunday morning, security consultant Alan Shimel woke to discover that his personal blog, which is frequented by countless peers and reporters, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and aired sensitive documents he filed with the …

COMMENTS

This topic is closed for new posts.
  1. Justin Pasher
    Thumb Down

    Security consultants using free email?

    Seriously, why is a security consultant using a free email service to send and/or store potentially private documents? Not exactly someone I would like to consult regarding my security.

  2. Anonymous Coward
    Anonymous Coward

    Theo de Raadt?

    Let me be the first to point out what weird hit list this is. I would also hasten to add they better strike quick some of these people can defend themselves.

  3. yeah, right.

    that'll learn them.

    Perhaps now these "security" people will pay more attention to what they do in day-to-day life, rather than just telling others what they should do? I mean, come on, using gmail if you're at all interested in security? They deserved to be cracked just for that. People in a field should apply what they know, or risk being caught out.

  4. Dave Hall

    Privacy was breached by using 3rd party e-mail services.

    What's interesting is that these security researchers are putting their trust in 3rd parties to protect the stored information. This breaks the possession/control attribute of the Parkerian Hexad of security, one of the foundations of security.

    For example, the google privacy policy doesn't lay out any guarantees that data is protected from a hacker.

  5. You're my wife now Dave
    Stop

    @ Dave Hall

    I intuitively guess that most readers here rely on 3rd parties to provide some layer of security every day (insert names of OS vendor & web browser here)

    Do any privacy policies explicitly guarantee complete protection against hackers?

    It's doubtful any firm would make such a bold claim, security can be compromised in many ways, some methods even circumventing what's in your direct control

    Whatever works now can never be guaranteed future proof. Just look at the *KNOWN* lists of many high profile companies, .gov sites, ISP's, banking, IM & e-mail systems that have been caught with their pants down in some way or another

    There's no hope, be afraid of the future, back to pen & paper everybody! Ahem, were *my* pants down when I started?

    <blushingly pulls 'em up and wonders if a pants down icon is suitable for the reg>

  6. Anonymous Coward
    Anonymous Coward

    So

    "...Schimel admits the administrative password for his blog .. was also used to unlock his Yahoo Mail account..."

    He was not even smart enough to use a different password for each authentication point. Proves that the IT security sector is filled with clowns who cannot follow the most basic tenets of the security.

  7. Anonymous Coward
    Thumb Down

    Re: Dave's Husband

    It's not that these security researchers placed trust in a third party, ultimately you'd have to, I mean, at some point your data hits your ISP. But that is not the point. These researchers placed *unnecessary* trust in a third party. For something like email none the less. Since it is these guys' jobs to know how to securely configure various kinds of server more securely than the average company (i.e. Google), you would think they'd have their own domain, firewall, routers, etc. That they would have a DMZ, layered security, separate email and web servers, and that they would configure these servers to their own demanding specifications that they tell other people to follow.

  8. Andraž Levstik

    What do security researches and admining a system securely in common

    Nothing... They are capable in their own field which is finding flaws and finding ways to work around them etc... In general security... They can recommend best practises etc... But I doubt a lot of them would be able to run secure no relay smtp servers, imap/pop3 servers and web servers and keep on top of it all.

    I'm not saying that they couldn't do this if they set their minds to it it's not that hard but it's a different area than looking through code, trying to crack passwords, trying to work around security issues. I'm a sysadmin by trade and a bit of a paranoid one at that so I do go to an extra trouble of trying to workaround any more obvious security issues but this doesn't involve delving into code or trying to crack passwords.

    Security is a process it's not a state. A lapse in such a process can be harmless or devastating.

    The best way about security is to be aware of the entire process from start to end and any flaws that are inbetween. If you are aware you can expect it.

    So yes most security researchers/consultants will only advise people on what a best practice is

    the sysadmins and others more knowledgable in the field of implementation will actually have to update their processes.

  9. John Edwards
    Paris Hilton

    A perfect random number generator

    When professional card players play each other they shuffle the cards by spreading them face down on a table and stir them about. as it is possible to cheat using other shuffles. So, buy a pack of cards, write the available characters on them, stir, stack, read 'em, (don't weep), and there is your password.

    Not very technological but BOFH and PFY approved for their own use. Paris, because she told me about this.

    John Edwards

  10. Anonymous Coward
    Anonymous Coward

    Security researchers' accounts ransacked in embarrasing hacklash

    Guys, all of this sounds so funny. It's easy to blame the PROs, but none of you actually talk about the real bad guys in the story. I am not in the security business myself, but for me it is pretty normal that people have more than one email account. It will be waste of time if you try to administrate them all. I understand if there is a leakage of corporate information and your clients are in a great danger, but to judge someone' professionalism because his subscription' mail box is not safety enough is just insane.

  11. William

    Outsourced email doesn't need to imply lax security

    Dave Hall pointed out that using a email service violated the possession/control principal. The thing is, this doesn't necessarily imply a bad security decision. Rarely is there perfect security, and even if the researcher were to have managed their own mail server, he likely would be sacrificing on the Availability and possibly even the Utility of their mail solution. It'd be rare for any individual to be able to fund the redundancy and bandwidth required to withstand a concerted DoS effort against a botnet's attack against infrastructural elements of a home network (or even a small consulting business). By insisting on a 'do-it-yourself' mentality for things like mail, you could expose more surface area for attack.

    Also, frankly, gmail (along with gcalendar and other g-goodies) are a lot more *useful* than most mail-only solutions out there. The trade off between utility and security isn't always a cut and dry question.

  12. William

    XSS *can* provide full access to account

    The article seemed to imply the Cross Site Scripting (XSS) attacks generally only provide a single transaction vector for attack. It surprising that the register would make this mistake as the canonical example of a XSS attack is to demonstrate the mapping of the DOM element 'document.cookies' into a web request to an attacker's website. This attack provides an attacker all the session credentials needed to login to a web application without requiring a password (and thus allowing full access to all archived mail). I'm not saying this is what was done in this case, but to dismiss this vector as impractical would be a mistake.

  13. The Other Steve

    Funniest story of the year by far.

    "Schimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account."

    The fact that he wasn't doing so already, and seems to have been tripped up by a sKript k1ddie exploit and/or by using ware that is well known to be vulnerable speaks volumes about his professionalism.

    Reputation deservedly smeared, I can't help but think. But then, I'm not very nice.

  14. Rafal
    Alert

    It's not funny dude, it's kinda of scare

    wow :) now I am really scared :) this could happen to everyone, even the best ones in the field. Even if you are too paranoid about these issues, you can still get hacked. It's not about any security protection, it's about targeting and determination. Everything is vulnerable nowadays. Damn !

    P.S Sorry for my English

  15. Michael

    Yahoo! Still! Sucks!

    >>>Equally disturbing, he found someone had cracked open his Yahoo! Mail account and aired sensitive documents he filed with the Internal Revenue Service.

    More disturbing, a security researcher used Yahoo! Mail to file documents with the IRS??? He should be fired!!

  16. John Benson
    IT Angle

    How to keep email off a webserver?

    All I can think of is having the Internet-facing mail server in the DMZ storing emails downstream behind an internal firewall.

    Any other suggestions?

  17. James Butler
    Thumb Up

    @John Edwards

    In passing ...

    [script type="text/javascript"]

    // uppercase+lowercase+integers

    passchars=new Array("A","B","C","D",...etc...);

    passwd="";

    // modify 10 if you want longer/shorter password

    for(i=0;i<10;i++) {

    // add to 62 if you also include symbols in your array

    newrand=Math.floor(Math.random()*62);

    passwd+=passchars[newrand];

    }

    document.write(passwd);

    [/script]

    I know Javascript doesn't have a truly random number generator, but if you want pretty-darn random password characters, this'll do it. I keep it as "passgen.html" on my desktop, and any time I need a new one, I open it in my browser and, voila ... 10-char password.

  18. Robert Brockway
    Linux

    Re: Outsourced email doesn't need to imply lax security

    Hi William. You are quite right. Security is a risk assessment. Suffering a DoS is likely a lot less damaging than having information stolen though. The DoS will end but stolen information is gone forever.

    I use alpine to read my mail and the only way to my MTA is to authenticate ssh using RSA keys. The box is locked behind a firewall too. Yes I could suffer a loss of availability or utility but I have assessed the risk and determined that it is a good trade-off.

    I'm a sysadmin who takes a lot of notice of security (as all sysadmins should, imho) and I was really surprised to see these security researchers making such basic mistakes.

  19. Anil Dash

    TypePad does *not* have the security holes that WordPress does.

    Dan, you say, "Still others guess that the miscreants gained entry through the victims' blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes."

    This is false, and you should know better. The results from the Pwnie awards to the IBM X-Force report to the U.S. Department of Homeland Security's reports all list WordPress among the least secure applications of any kind, not just web apps. TypePad is nowhere to be found on those lists, because it's consistently been extremely secure and reliable for our users.

This topic is closed for new posts.

Other stories you might like