You may have heard, from articles such as Real Black Hats Hack Security Experts on Eve of Conference, that the security on Dan Kaminsky’s and Kevin Mitnick’s professional Websites was cracked. As the Wired article put it:
Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site.
Kevin Mitnick is notable as the most wanted computer criminal in US history at the time of his arrest in 1995. Since getting out of the hoosgow, he has become a computer security consultant and author, capitalizing on his ill-earned fame.
Dan Kaminsky is a security researcher and the penetration testing Director for IOActive. He is most recently notable for his extremely well marketed work on DNS cache poisoning, and his talk on the subject at the Black Hat Briefings conference last year. He also showed evidence that the infamous Sony rootkit had infected more than 568 thousand computers.
The compromise of the security of these two big names in security circles is only the tip of the iceberg, however. In a text file left behind as a calling card of sorts, the perpetrator of these compromises and many more shares opinions, facts, and previously secure data harvested from a number of servers, complete with mockery of the bone-headed security gaffes that allowed some of these security cracks. The document, mirrored at sucuri.net, takes the form of a newsletter titled Zero For 0wned 5, the fifth in an irregularly “published” series — abbreviated ZF05.
After the intro, ZF05 shares information about compromises of quite a few Websites, opines about the state of the security industry in general, “Pwnie Awards” as a sort of booby-prize for people who are particularly reviled in the eyes of the ZF05 author(s), and even some choice words for the “Anti-sec” perpetrator.
Amongst all these bits of interesting news (all of it bad for someone), what most caught my eye was the cracking of PerlMonks user password security — mostly because it’s the only site listed as compromised in the ZF05 newsletter where I have an account, though I haven’t really frequented the site in a while. It turns out that user passwords are stored in a database in plain text, rather than hashed. In the words of ZF05:
There is a really simple reason we owned PerlMonks: we couldn’t resist more
than 50,000 unencrypted programmer passwords.
That’s right, unhashed. Just sitting in the database. From which they save
convenient backups for us.
Believe it or not, there is actually debate at perlmonks about whether or not
this is a good idea. Let’s just settle the argument right now and say it was
an idea that children with mental disabilities would be smart enough to scoff
at. We considered patching this for you but we were just too busy and lazy.
I’m sure you can figure it out yourselves.
This isn’t a bad set of passwords, either. Programmers have access to
interesting things. These Perl guys are alright, just a little dumb apparently.
A lot of them reuse. You can explore them yourselves, I really do not want to
point out anyone in particular.
The key take-away from this, of course, is that you should never reuse a password between sites. Get yourself a good password manager application; you should only really have to memorize a handful of strong passwords, and store the rest in your password manager.
Other lessons can be gleaned from the ZF05 commentary, too, of course, and much of it can make for an entertaining read.