Plunderous Informative Pirates

Blog Post created by rapid7-admin on Dec 30, 2010

Originally Posted by Sean Taylor



Gawker got owned. Bad. The resulting data breach resulted in some pretty entertaining fallout: a hacker gang took down a website purely on perceived arrogance and self-worth of the target, millions of accounts wound up compromised all across the web. NPR and other outlets wound up trying to tell us for like the 10th time how to make a secure password. Overall, it was probably the second-most entertaining data-breach this year. (The first one, of course, was when the GNAA goatse'd the world with the help of the media.) 

The coverage of the Gawker Media breach had me smiling in that megalomaniacal cat-stroking fashion. Everyone talked about the passwords-- not a whole lot more. It sort of demonstrates the disconnect between the general security community as a whole and the people who are most affected by secure and insecure products and measures. Strong passwords are really just the beginning. In fact, I really don't think the passwords are the worst part of the leak. 

Gawker Media is one of the more interesting aspects of the 21st century Internet: a blogging franchise. Sort of like how Yum! Inc. owns Taco Bell, KFC and a bunch of other restaurants, Gawker Media owns a bunch of different blogs, most notably
Kotaku for gaming, io9 for Sci-FI, Gizmodo for tech, and-- even that ever-pervasive staple of the Internet-- Fleshbot for porn. (And if you think that porn-blog is in the least bit worksafe, you're completely wrong.) If you have an account on any Gawker site, you have access to the whole Gawker Media franchise. So if one site gets popped, it's likely that the other sites will get popped as well. That means, of course, #gnosis ran out of the Gawker site like bandits with 1.3 million e-mail addresses and passwords. 

Let's take a step back and provide a vague explanation from a business perspective. What does 1.3 million e-mail addresses mean? That means 1.3 million potential customers, 1.3 million potential consumers, 1.3 million potential viewers-- and as a result, a potential for a whole boatload more money than just 1.3 million. Granted, people are so seasoned against spam now that it's more likely that you'll only get about 13,000 users to return on your investment-- but that Gawker list? It's free, baby. You'd have nothing to lose and everything to gain as an advertiser with that list. After all, there's no way to legitimately prove the data was taken from that Gawker hack. And even if the seed data you used was, in fact, considered illegally rooted-- assuming anyone who cared enough to enforce that sort of law brought the hammer down on the advertiser (hint: highly unlikely)-- all the information you had gathered at that point isn't necessarily illegal in itself. Every day, advertisers are harvesting your Facebook information, your Twitter statuses and all sorts of other information about you. In a bank somewhere-- or in multiple places with multiple stories, really-- there's tons and tons of various little tidbits about you. What your favorite color is, what makes you angry, what turns you on-- all sorts of fun horrors like that. Any rogue entity who wishes to advertise at you with this information is going to do it. Advertisers are scrupulous by nature-- their entire business is about making money off of people by telling them to give someone money. That's all advertising is. If they make you laugh, you might give them money. If they scare you, you might give them money. If they appeal to your sense of self-importance, you might give them money. Competition dictates they abuse your psyche in order to get the most optimal gain for their employers. 

This is just advertisers! For the most part, these people will bind themselves by US law in some way or another-- from class-action lawsuits getting angry at their tactics, regulators stepping up to the plate and putting the kibosh on their ridiculousness or by their own self-regulation. What about the lawless, what can they do with this sort of data? 

We can start with the e-mails. Going back to the iPad "hack" that Weev and the Goatses managed to drag out of Apple's database, the list had quite a few high-profile people on it-- like a significant amount of .gov e-mail addresses. Goatse Security, in the name of honesty and white-hattery, censored the e-mail addresses when they released all the data. Well, let me be more accurate: when they released all the data
to the press. All it takes is one little GNAA member to, say, sell the list to a spamming gang in Russia or an informative espionage gang in China. Suddenly, both of those groups have quite significant access to people within the government. 

What's interesting about e-mails, though, is that almost everyone has an e-mail address. Those who don't are either never connected to the Internet or somehow find other magical ways to register and communicate on the Internet. And because everyone has an e-mail address, someone needs to set up the infrastructure for it. Because of both the human desire to control and make things easy, employees are given addresses that follow a pattern-- usually firstname.lastname or firstname_lastname. A single e-mail exposed in this list at a single corporation will expose the pattern used by the company, thus leaving the potential to expose
all users to potential contact by anyone who downloads this data. Suddenly 1.3 million becomes more than 1.3 million. 

But what does 1.3 million actually mean? That's roughly the population of just one or two
counties in Los Angeles-- is it really worth it to be able to contact those sorts of people? What if it's just 1.3 million Internet denizens? Who cares if half of that number wind up being spam bots? 

Gawker Media attracts people of all shapes and sizes, of all backgrounds and types because of its business model-- being a blogging franchise of a vast array of generic, eye-drawing interests. Everyone in one way or another who's on the Internet is likely connected to a blog like this. And the data proves it-- from .gov to .com to .org.ua, there's quite a demographic of English speakers and readers who go to Gawker-based blogs. Programmers, journalists, cooks, pornographers, Catholics-- you name it, they're probably on that list somewhere. 

Because of the absolute diversity that exists within the Gawker network, this breach is much more significant than just a few thousand poor schmucks with the password 123456. Let's say you're an attacker who wants to go after TheWidgetReport.com, a blog all about the state of the Widget market. (It's even got a few cutesy jokes mocking the Widget industry.) They've got a few hundred writers-- after all, they've got the market on Widget reporting cornered. 

All of the writers at TheWidgetReport have an e-mail address-- but you don't know what their e-mail addresses are. They're never listed on the site, and in order to actually e-mail them you have to go through some ridiculous form that probably never gets to them anyway. (You know, because they don't want to expose the world to their e-mail address-- after all, that would get them quite a lot of spam and people they don't want to talk to to begin with!) However, every article written on TheWidgetReport is associated with a writer in some way or another, listed in the credit of each article that pops up. 

Let's say Shirley Cache is a writer for TheWidgetReport and just
adores Jalopnik. She's got an account on Gawker's network-- in fact, she's the only one of a few editors and writers from TheWidgetReport who know anything about the Gawker network. The Gawker breach happens-- but Shirley's smart. She's been around the Internet. She knows that if she uses the same password everywhere, it's going to come back and haunt her. The same goes for her other colleagues with Gawker accounts, thus rendering the passwords rather useless. 

The issue is that now the attackers knows what the pattern is for TheWidgetReport-- firstinitial_lastname@thewidgetreport.com. Now all the attacker has to do is write a script to scrape every article on The Widget Report and convert the authors into e-mail addresses. Suddenly the attacker's got a rather worthwhile list not only for performing social engineering attacks but for selling to spammers, too. Instead of simply having three addresses for an attack vector for TheWidgetReport, the attacker now has a nearly complete list of all employees at the company! This provides a much stronger likelihood of breaking into TheWidgetReport and running away with even more data than before-- such as, for example, all the readers of TheWidgetReport's e-mail addresses and passwords. 

Michael Burns asked us to make predictions for 2011, and I believe information is finally going to take center-stage as the thing everyone wants to abuse. Information is the crux of any form of attack-- for example, you can only create a buffer overflow
after you've gleaned information regarding a specific vulnerability. Indeed, information can be abused for personal gain as well-- for example, advertisers harvesting your delicious Likes and Dislikes on Facebook as if it were fine-grain corn. With WikiLeaks taking over the headlines with how it deals with information, I made the prediction that we're going to see a whole lot more attacks based around information: character assassinations, massive spam campaigns and propaganda out the wazoo just to name a few. 

In essence, I think the Gawker hack is a nice little window into what's to come. Sure, data breaches have come in some form or another at some time or another-- that's why
DatalossDB is so diligently documenting them. Indeed, blackhats are already well aware of the worth a plethora of precisely gathered information yields to anyone who wishes to purchase. But the security spectrum is shifting, and as it shifts, the lowest common denominator with the most potential gain is what gets the most attention. This is why you saw hacking trends shift from remote buffer overflow exploits to local buffer overflows to SQL injections eventually to XSS-- each item in the sequence became more and more secure over time, forcing the Internet background radiation to gravitate toward simplicity with greater gain. (I probably used "Internet background radiation" incorrectly there, but man is that a great topic! Read that paper!) 

In 2011, information will be in the crosshairs of the LCD of hackers and skiddies. It's just too ripe for the plundering-- there's no way to completely stop the abuse of it other than by reducing or obscuring the information, and to do that would disrupt business entirely. Information
needs to be out there in order for a lot of people to function. And some information is worth quite a bit of bank to the unscrupulous and wickedly intelligent.