You Know Your Next Hacker
Over the last couple of weeks I’ve seen a pattern of companies frustrating an individual to the point where the person gives up trying to […]
You Know Your Next Hacker
http://blog.lumension.com/10200/you-may-already-know-your-next-hacker/?utm_content=buffer223af&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer
You Know Your Next Hacker
Over the last couple of weeks I’ve seen a pattern of companies frustrating an individual to the point where the person gives up trying to communicate with the company and hacks them in a major way instead. I guess you could call it Revenge Hacking. In each case, the company was communicating with the person in an above-board manner. But the companies were giving them the run-around instead of being the least bit cooperative. Eventually the person decides they’re getting no satisfaction from taking the proper approach, and takes a more devious approach. Both companies have been in the headlines for being hacked, and their customers’ private data is now “out there” in a spreadsheet on the Dark Web.
Gaana
You Know Your Next Hacker
Last week I asked how your organization responds to vulnerability reports. I said that it’s important to take these seriously, because sometimes even hackers try to do the right thing and report them. The folks at Gaana.com weren’t listening. Gaana.com is the largest streaming music site in India. Alexa ranks the site globally at 1334, making it more popular than Last.fm.
One of Gaana’s 10,000,000 registered users, who goes by the handle Mak Man, reported to the company that a SQL injection vulnerability existed on the site. It’s unclear if the company didn’t respond, or didn’t address the problem. Either way, Mak Man apparently didn’t think the company believed him. A quick look through his Twitter feed shows plenty of bragging on previous hacks, and you could predict what he was going to do next. He leveraged the vulnerability to download the entire database of registered users, along with their details. He also took a screenshot of the site’s administration console. He posted proof of his successful exploit on Facebook. He also posted proof-of-concept code for the exploit on his own site.
THEN Gaana starting taking him seriously. Satyan Gajwani, the CEO of Gaana’s parent company, took to Facebook and Twitter to ask that the data be taken down, and to reassure Gaana customers that everything was fine. From Gajwani’s Twitter feed:
First of all, we have patched the vulnerability within an hour of its discovery, as MakMan has also acknowledged.
That’s certainly not true. Maybe within an hour of being hacked, but not within an hour of it being reported. And what kind of data would people have in an account on a streaming music site? A look at Gaana’s Privacy Policy indicates there may some pretty interesting stuff in there (emphasis mine):
“…users are required to provide certain personally identifiable information for the registration process which may include:- a) your name, b) email address, c) sex, d) age, e) PIN code , f) credit card or debit card details g) medical records and history h)sexual orientation, i) biometric information, j) password (k) your occupation, interests, and the like etc., …we may require your contact address as well.”
That’s a lot of info to give up just to stream music. Mak Man says he didn’t even take the time to go through the database. He took down the POC code, screenshots, and sample data when the company started addressing the problem and asked him to take down the data.
The PR story is that because Gaana responded quickly, the site was only down for the better part of a day, and no one’s information was shared.
The real story is that we only know that user data wasn’t shared by Mak Man – but who knows about anyone else. The vulnerability in the site existed for some time. In reality Gaana did not act quickly to address it. It was reported to them well before the breach. They left it there until it was publicly breached. Any other hacker could have seen the opportunity and taken it silently instead of going public.
You Know Your Next Hacker
Adult Friend Finder
You Know Your Next Hacker
You’ve probably heard that Friend Finder Networks’ (FFN) site AdultFriendFinder.com was hacked. AFF is a site for people who are looking for intimate partners. And the details in one’s profile are the type you probably wouldn’t want shared with just anyone. About 4 million users’ data was posted for sale in an online forum a couple of weeks ago. The actual breach, though, may have taken place months ago.
The background for this story is a little cloudy to say the least. Documents I read last week related to the hack are now gone. The forum sale postings are also gone (of course), and threads about it have dried up. The news stories have focused mostly on the embarrassing possibilities of the hack, not really the catalyst behind it. This week I ran across another source that indicates FFN was informed of the hack months before the data was posted for sale and headlines started to break. They did nothing at that time, even saying now that the email notification they received went into their spam folder. They’ve essentially said ‘We get a lot of email, we can’t give our full attention to all of them’. OK, fine. But in looking at the email that notified them of the breach, it’s a pretty serious email. Not one you would blow off. And there are evidently read-receipts for the notification email, and internal emails indicating the breach is a non-issue.
Why AFF was targeted seems to be a bit odd. As I said, most of the documents which were posted last week are now 404, but here’s the impression I got from reading up – I don’t know any of this to be fact, but it looked as legitimate as anything else does on the web FWIW. Someone using the handle ROR has a beef with someone who had an AFF account. ROR wanted AFF to give them the identity of the person who opened that AFF account. Parent company FFN of course refused to disclose their user. Fine so far. But ROR apparently got a court to issue a subpoena for the information. Presumably his beef was somewhat legitimate for a court to side with him. But FFN gave him the run-around, saying they didn’t have to comply because the subpoena was issued in California and they are in Florida. When ROR got the subpoena issued in Florida they said they didn’t have to comply because they were in New York. He issued the subpoena in New York, and served it to their registered statutory agent, etc. No help from FFN in identifying this one person. It seems ROR exhausted every legitimate avenue of determining the owner of this AFF account.
So, on to the illegitimate avenues. Pretty soon, ROR had the owner of that AFF account, and nearly 4 million more. The data contained lots of juicy stuff like married users with government email addresses looking for mistresses. Sexual preferences and proclivities for all too see. Even if you had canceled your AFF account, the data of course was still there. The list was offered at a Bitcoin equivalent of around USD 16,000 in a Dark Net forum. It’s unclear if the list was sold as intended, or sold in bits. It is reported that email addresses from the list are now being bombarded with spam, so at least that part of the list has been distributed.
Again, FFN was notified of the hack months before it hit the headlines. They were offered free help in resolving the issue. They decided not to respond. Now they’re paying Mandiant and working with the FBI. It could have been easier.
If you’re working to protect your organization from being hacked, it might pay to take a look at people your organization are ignoring. You may already have been introduced to your next hacker.
Are your systems optimized for maximum speed and performance? (I can tell you, 99% of the computer networks we review are NOT.
You Know Your Next Hacker
Call Group 4 Networks your IT Support provider from Toronto to help you with all your IT needs.
You Know Your Next Hacker
