Hack or research?
23 July 2013 | 0
We are all familiar with web hacks: those incidents such as the PlayStation Network hack, or even closer to home the GAA or Boards.ie hacks. These attacks usually harvest a large number of credentials for people, usually the users of the site or service.
This kind of theft is often motivated by the opportunity to sell on valid credentials so that people can acquire false identities for nefarious purposes. Sometimes, what attackers are looking for is verified payment methods such as linked PayPal, credit cards or the like.
But two recent incidents could signal a change in tack for this kind of attack.
The Ubuntu forum hack provoked outrage from the developer community, but it also prompted a response from the suspected attacker.
Someone calling themselves "Sputn1k_" is thought to stolen around 1.8 million passwords and used Twitlonger, the Twitter extended post service, to tell the world that it was not the intention to steal the passwords for dastardly reasons. Sputn1k_ did confirm that the passwords were encrypted, but to a relatively low level that facilitated performance rather than security.
Sputn1k_ said that the purpose of the attack was to simply grab the prise (passwords) , post a message and get out to demonstrate the vulnerability to the service. The inference was that this was something that Sputn1k_ does regularly with various targets.
The incident was strangely mirrored by the experience over at the Apple Developer Centre web site, which was taken down for fear of an attack to steal credentials.
Again, someone claiming to be responsible, a Turkish IT security researcher calling himself Ibrahim Balic, wrote a letter explain his actions.
Balic said that he is not a hacker and that he found 13 security bugs in the system and immediately reported them to Apple and did not make them generally known or exploit them. He did say that he had 73 user accounts, which he said included some Apple employees, but that he wasn’t doing anything bad with them.
The developer site remained unavailable at time of writing.
In much the same way that we reported on the way that crypto-currencies could potentially be changing the IT security landscape, are we seeing the emergence of IT security pros looking to bolster their credentials by taking a high profile scalp in the form of revealing vulnerabilities in a well-known service?
In the same way that script kiddies were simply looking to get kudos with annoying early viruses, such as theMelissa virus or the ‘I love you’ virus, it seems that competition in the world of IT security is prompting some ‘researchers’ to probe well-known services to see if there are vulnerabilities that can be identified, if not exploited, that can be then used to bolster their own reputations.
This uninvited examination seems to be unwelcome in the wider world, as when such research is detected, it is often difficult to tell the difference between it and a genuine attack. Either way, this modus operandi now appears to be occurring with greater frequency.
While I’m sure most legitimate IT researchers would never do anything unethical in such situations, it is hard for the likes of the Apple Developer site administrators to empathise with their good intentions. In these days of paranoia and widely publicised hacks, often state sponsored, IT security bods might do well to modify their approach in unsolicited security evaluations.