Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Hacking Security Researchers

When Alan Shimel (StillSecure) and Petko Petkov (GNUCitizen) had their online mail accounts hacked in the latest bout of Full-Disclosure posturing, including contents of select emails published to the list and, in Alan's case, objectionable content sent to various mailing lists that he was involved with, reactions ranged from ignoring the event through to blaming Alan and Petko for using webmail accounts for more than they really should have.

The irony of security experts having their own security shortcomings exposed so publicly was not lost on the group claiming responsibility for the attacks, or on a number of observers. The incidents prove the adage that it is a matter of "when" not "if" you will be hacked. More importantly, they show that it only takes a single lapse in procedure for a critical weakness to be opened up in a security position. If there are multiple lapses that can then be chained together, then it only exacerbates the problems being faced. When a security expert is relying on their reputation to attract clients, being smeared like this doesn't help their case. How somebody recovers and responds to such an incident is key to their future reputation, and maybe even their future earning potential.

Alan and Petko's responses to the breach of their security can be easily be found online and it is interesting to see the general posture being taken by both (and also some of the external parties affected when emails were published or malicious content was sent to them). The significant differences in approach may be due to American / European cultural differences, but blaming the service providers for a mistake on your behalf is probably not the best way to go about rebuilding after a compromise.

An interesting sidepoint to Alan Shimel's experience is that he had his personal domain redirected at GoDaddy after the hackers were able to use his legitimate email account to direct GoDaddy to unlock the domain and make the requisite changes. Without a backup channel means of validating such directions (such as via phone) what else is a registrar to do - the email came from the correct account. With the level of control over the various accounts that Alan held, including full details of his credit cards, it wouldn't have taken much more for the hackers to completely transfer control of his sites and potentially severely restrict Alan's access to his own finances.

While Alan was able to use his personal contacts to gain rapid access to in-person support at major service providers, this isn't necessarily something that many people will have easy access to, and even then it will take a measure of trust on the service provider's behalf to believe the caller is who they say they are and not the hackers making a last ditch social engineering attempt to regain control of the site(s).

Taking the Turkish approach to solving this problem is not necessary, but it might be a fun fantasy for a while.

27 August 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.