Cryptome Hacked; All Files Deleted

eldavojohn writes "Over the weekend, the whistle blowing site Cryptome was hacked and vandalized, resulting in all 54,000 files being deleted and two days worth of submissions lost. Cryptome reported that its EarthLink e-mail account was compromised in ways unknown, and once the attacker was inside there, they were able to request a new password from the administration console for Cryptome at their hosting provider, Network Solutions. Once the attacker had that password, they deleted the ~7 GB of data that Cryptome hosted in around 54,000 files. Cryptome was able to eventually restore the site, as they keep backups ready for cases like this and stated that they 'do not trust our ISP, email provider and officials to tell the truth or protect us.'"

Editing!

[GuJiaXian]

Holy cow, please edit the submissions before posting them.

*sigh* I'll get modded down for having the nerve to ask for a baseline of professionalism, won't I?

Re:Editing!

[The+MAZZTer]

I'm glad they reminded me it happened on the weekend, I have a short attention span and forgot by the time I reached the end of the first line.

Re:Editing!

[siddesu]

Professionalism? How about a baseline of a spelling, grammar and general writing skills?

/ Kill me with moderation, William "B.J." Blazkowicz, I am in a Grammar Nazi mood today.

Re:Editing!

[Dishevel]

You require an editor as well.

Re:Editing!

[Raenex]

I know I'll get modded down for saying this, but parent is right.

...what?

[blhack]

The real WTF here is that

A) Cryptome is running on Network Solutions
B) The email associated with the account is on *earthlink* ???
C) None of these things have been shut down.

Seriously, doesn't cryptome host some pretty shady stuff? On the same level as wikileaks, isn't it? What the hell is going on here?

Re:...what?

[Xemu]

I don't believe their Earthlink account was *hacked*.

http://www.skeptictank.org/hs/elcoslnk.htm">Earthlink is connected to the Scentology cult, which are known for hating free spech on the internet. If Cryptome had hosted anything remotely connected with Scientology, they would not hesitate to use that email account to hurt Cryptome.

Re:...what?

[curmudgeous]

...Earthlink is connected to the Scentology cult...

Man, that really stinks.

Re:...what?

[misexistentialist]

More likely Earthlink, like all ISPs, has a substandard email system. If Scientologists were involved they would have had to pay a $15000 education fee and been forced to run around a pole for 3 days for leaving the backups.

Earthlink? Network Solutions?

[longacre]

Basically this stuff was never safe to begin with, and you're an idiot if you post anything there expecting to be anonymous.

Re:Earthlink? Network Solutions?

[caffeinemessiah]

and you're an idiot if you post anything there expecting to be anonymous.

Why? If I really wanted to post something anonymously, I would set up a network of proxy SSH severs paid for with prepaid debit cards (purchased using cash), change the wireless MAC on a throwaway secondhand laptop (purchased using cash off Craigslist), walk down to the local Starbucks, access my proxy setup through Tor, and then be reasonably confident that I would be able to do anything anonymously. Of course, I would only post plain text files.

So I don't really understand why you would be an idiot for expecting anonymity if you went to the pains of taking care of it.

Not hacked!

[kju]

The controversy about hacker vs. cracker is old and unsolved. But this case really does not warrant the use of the word "hack/hacked" under any meaning of the word whatsoever. This is a act of pure vandalism, nothing more.

Re:Super secret password

[maxwell+demon]

Didn't they tell you to use both uppercase and lowercase letters? Had you used "Passw0rd" instead, nobody would have found out!

Hack

[Stargoat]

Is a social engineering attack a hack? It sounds like someone called over to EarthLink and got an e-mail password reset. Then, once holding the e-mail account, called over to Network Solutions. This sort of thing wouldn't be difficult at all.

Re:Hack

[zarozarozaro]

Mod parent up. A company I used to work for used Earthlink as their provider for everything (web, email, ISP). I pretty much had to take on the IT admin role there. They had lost all of their passwords and logins. I could not believe how easy it was for me to take control of everything in ONE DAY without even getting my boss on the phone with the support guy at Earthlink. Security at Earthlink is a joke. The support people there seem to choose one piece of your information at random to verify that you are the account holder. They will often ask you to tell them your password over the phone and other similar nonsense.

Re:Hack

[BobMcD]

Is a social engineering attack a hack? It sounds like someone called over to EarthLink and got an e-mail password reset. Then, once holding the e-mail account, called over to Network Solutions. This sort of thing wouldn't be difficult at all.

FYI - 'Hacking' never is, never has been, and likely never will be. The kind of amazing tricks you're imagining under that term lie within the realm of security research, espionage, etc. 'Hackers' are, by definition, hobbyists, and hobbyists are generally doing it for the love of the game, for the fun of it, etc. The guys doing the stuff that might actually amaze you are being PAID to do so. Otherwise they'd give it up and move on to something easier, until such time as nothing easier actually exists. So you say that exploiting a social gap isn't '1337' enough to make the grade? How is utilizing a published Windows exploit any better? SQL injection? Nobody buy nobody is divining their own security-breaking code from tiny mystical oracles found at the bottom of Mountain Dew cans.

In short, the movie 'Hackers' bears zero resemblance on reality.

Re:Hack

[fostware]

In short, the movie 'Hackers' bears zero resemblance on reality.

Huh?

The bulk of the leadup to a hack involved sifting through logs, dumpster diving, and social engineering (like the eidetic memory delivery guy or asking A/H guy what the phone number was on the label).
The fancy graphics and the ZOMG! 486! were all Hollywood, but there were some moments the scriptwriters didn't screw up beyond recognition.

Besides, I still own my 'Man in a pink shirt' book ^_^

Re:Backups for the win!

[erroneus]

But they weren't smart enough to mirror submissions to other servers and so two days of submissions were lost. Those two days could easily have been the target. If so, then mission accomplished.

Professional vs. Amateur Hour

[cdrguru]

A professional organization that knows its web presence is its life is going to have a bit better setup than a server that someone else (Network Solutions in this case) has control over. The right solution is a co-located server that is controlled exclusively by the organization. The hosting company doesn't need to have any passwords. They are also going to have their email processed by their own server and not be relying on an ISP for anything at all except connectivity.

However, a completely amateur operation is going to use shared virtual hosting because it is cheaper and the hosting company will be doing backups for them. And controlling passwords. And all other security. Oh, and using a non-domain based email setup from an ISP.

I guess it is pretty obvious into which category Cryptome falls, right?

Yes, it would cost $2000 a year or more for a co-located server whereas shared virtual hosting is dirt cheap.

Re:Professional vs. Amateur Hour

[twoallbeefpatties]

[A] completely amateur operation is going to use shared virtual hosting because it is cheaper and the hosting company will be doing backups for them. And controlling passwords... I guess it is pretty obvious into which category Cryptome falls, right?

Being a non-profit organizatino, Cryptome's status as a professional organization or an amateur organization probably depends on the size of their donation base. For a website group trying to get by on a shoestring budget... well, maybe this little stunt will help them raise awareness to get the donations for a better server setup. (Not that I actually know the size of their donation base, and maybe they do have enough money for that sort of setup and they're just stingy/stupid.)

Re:Professional vs. Amateur Hour

[c]

Using virtual hosting might be intentional. A lot of people don't particularly like them. Including agencies of the US government. By running their site on a shared box with hundreds (thousands?) of others, they're a little more protected against the infamous "just take the whole server" attack. Also, it gives them more money to allocate to bandwidth costs, which as I understand it are pretty high.

Old school

[0xdeadbeef]

Cryptome was cool before Wikileaks made it mainstream. And John Young is the original gangsta, so you know he got backups. Bitches don't know about all the backups he has.

Re:Hmmm.

[hoggoth]

> no one will ever know, so its moot.

Oh Christ don't bring 4chan into this!

Re:Hmmm.

[interkin3tic]

I'd expect that if it were a publicity stunt, they might mention a possible motive. As it is, I'd probably guess it's something like a bored teenager who was too lazy to scratch some vulgarity on a bathroom wall. Had they made even a tenuous conspiracy theory I might be more interested. Interested enough to click on over to cryptome anyway.

Not to say that obviously this isn't a publicity stunt because it could have been done more effectively.

Wired Reporter to be Subpoenaed

[savanik]

And Cryptome is now saying that a Wired reporter contacted them after having spoken with a hacker claiming responsibility for the attack.

Which they responded to with a threat of a subpoena, and publishing news about it before the reporter, after they told the reporter they wouldn't? ... er. Way to burn bridges, guys? Seriously, I understand free speech and using reporters as sources, but I don't think reporters are going to be too gung-ho about reporting your findings later after this.

Re:Wired Reporter to be Subpoenaed

[RapmasterT]

Well, if someone told me they had knowledge of a person who had committed a very serious crime against ME, but were refusing to share that information with me, then I wouldn't honestly feel the slightest obligation towards them either. I'd tell them whatever they wanted to hear to get the maximum information out of them.

AND I'd try to get that subpoena too. The First Amendment guarantees freedom of the press, but it doesn't guarantee freedom from subpoena. An ethical journalist would go to jail in contempt of court before giving up a confidential source, but since journalism has abandoned most of the principles of old, I wouldn't count on that happening.

SSH FTW

[MichaelSmith]

Its the only CMS I use on my servers. Mercurial for version control over ssh. Update my sites with hg push. Hooks on the receiving side to run hg up and rebuild if required. SSH can be configured to require certificates only for authentication. Desktop environments all integration with ssh-askpass or similar.

Re:A little paranoid.

Good work soldier! Wikileaks is obviously a Soviet cover operation to rape our baby seal sand sabotage the fourth of july, blow up over the woods so that to grandmothers house we can't go.

Re:Colo vs Home Server vs Virtual Machine, and bac

[phyrexianshaw.ca]

Also... only 8G of data? That's it?

how much data do you expect them to host? it's not like they store multi GB long videos of events or anything.

Re:Backups for the win!

[gman003]

Quite likely, any important submissions will be resubmitted. Not all, of course, but if I had something that I felt HAD to be leaked, I would keep leaking it until it stuck.

Re:Backups for the win!

[taucross]

Of course the important submissions will be resubmitted. Unless the submitter died from a suicide, or heart attack.

Laundry day

[zooblethorpe]

...if I had something that I felt HAD to be leaked, I would keep leaking it until it stuck.

Why am I suddenly worried for the state of your laundry?

Cheers,

Re:A little paranoid.

[Peeteriz]

Wikileaks doesn't harm western democracies - they do inconvenience the administrations, but the whole concept of leaks are great for the society, citizens, and especially the democracy part; silencing leaks would harm western democracy and destroy the whole meaning of it. I don't care about Chinese government cheating their citizens - that's their problem, I want to be informed about the failures and lies of *my* officials that I elected and that affect my country. I don't want to improve country reputation by simply hiding unflattering things, I want to improve the reputation by fixing the faults. Lying to ourselves about bad stuff not happening is the domain of North Korea, not the western world.

And what do you mean about "journalistic discretion" ? The big newspapers that are following your so-called "journalistic discretion" shouldn't be allowed to call themselves journalists because of this anymore. In earlier times they did proper journalism, dug up the dirt themselves, interviewed informants, cared about their reputation of protecting the anonymity of their sources and fought for the right of publishing facts for the society, even and especially if the goverment claims to be harmed by the facts - for example, the Pentagon papers case. Now wikileaks has picked up the slack where the "journalists" are failing their role in society, and it's a shame - but a shame for the publishing industry.

Re:vandalism, nothing more?

[azrider]

And for those who don't want to read the book, he used whatever dot matrix printers he had available. Remote syslog to a machine with WORM media works too.

If you can't afford such writers, mount /var/log (or /var/adm depending on your system) on a remote with a different authentication with the directories as 500(-r-x------) and files as 300(--wx------) with a specific user for whichever syslog variant you use. Then chattr -i on the remote system so that the directory is immutable. On the remote system (if using rolling logs) don't forget to change the logrotate (or other appropriate cron configuration files)

Works every time for system security stuff.

You can tailor the logs for as much or as little as you need. Until the cracker can compromise your remote logging system (which should have different root passwords, no sudo/ssh credentials and no other rot access than the physical console), everything is recorded. Once it is cracked, you will know when it happened, because without the proper credentials on the logging system nothing can be erased.

Tripwire/dnotify/inotify are your friends if you take the time to learn them and if you take the time to set them up properly.