The hacker group Zero for Owned have released their latest zine, and this time, in their own words it’s “a big one”. The group claim to have compromised Kevin Mitnick and Dan Kaminsky to name just the two highest profile victims. The timing of the release can be no coincidence, with BlackHat opening this week.
The release was probably also embarrassing for victim Kaminsky, his own website DoxPara Research was defaced and bore the simple message. “Oh sh_t, Dan Kaminskyis 0wned and f_cked Up. Check doxpara.com/zf05.txt. July 28, 2009 | Filed Under Uncategorized”. The defacement was quickly cleaned up and as of this writing the site remains offline, but the file is out there now, with all its sensitive content.
As the document progresses, the group go on to detail information stolen from notable security researchers and online “hacker” forums including many passwords, private keys, configurations and personal correspondence.
Why do they do this? Well again in the words of ZF0
“Are you professional types really this out of touch? I see all these papers about how to protect yourself from these super-fu__ing-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. It’s the simple stuff that works now, and will continue to work years into the future. Not only is it way easier to dev for simple mistakes, but they are easier to find and are more plentiful.
Very few whitehats actually go out there and provide a service where they make people more secure. Not just for a day or a month. Are you genuinely fixing the underlying design and logic flaws that generate security problems for your clients or customers? If you actually clean up every exposed security flaw they have, will they still be “secure” in six months or a year?
We could go on. Just in general, the industry is failing. Flat out failing.“
I certainly don’t agree with the methods used, and while I would never lay claim to being a hacker (of any coloured hat); it is absolutely true to say that far too many individuals and corporations continue leave themselves open to compromise through errors of omission, misconfiguration and unpatched/unhardened systems. According to this zine, that even includes the professionals. (The part that I snipped goes on to detail their objections to full-disclosure, but to be honest that is worthy of a seperate discussion in itself. )
When the low hanging fruit is so plentiful, the bad guys have no need to climb up the tree of complexity to steal your information and compromise your systems, that much is certainly true. In fact the lessons that can be learned from this kind of event are manifold, and certainly more than can be squeezed into a single blog post, have a look at Rafa Los’ Digital Soapbox for other observations about the implications of this zine.