[ISN] White-Hat Hate Crimes on the Rise

From: InfoSec News (isnat_private)
Date: Wed Aug 14 2002 - 02:36:13 PDT

  • Next message: InfoSec News: "[ISN] FC: FBI releases advisory about 802.11-spotting "wardriving""

    http://www.wired.com/news/culture/0,1284,54400,00.html
    
    By Brian McWilliams 
    2:00 a.m. Aug. 13, 2002 PDT 
    
    When hackers broke into Ryan Russell's server and plastered his
    private e-mails and other personal files on the Internet last week,
    Russell tried to shrug it off as a harmless prank.
    
    But Russell, editor of Hack Proofing Your Network and an analyst with
    SecurityFocus.com, also seemed shaken by the incident.
    
    "There's a group out there whose goal in life is to show they're
    smarter than you and they have the tools to do it," said Russell, a
    "white-hat" hacker who goes by the nickname "BlueBoar."
    
    The break-in at Russell's Thieveco.com site, which is hosted by a
    Canadian ISP, appears to be the latest in a series of attacks against
    white hats and prominent figures in the information security
    profession.
    
    Claiming responsibility for the attacks is a shadowy group named el8.  
    Earlier this year, members launched Project Mayhem, a campaign
    designed to "cause worldwide physical destruction to the security
    industry infrastructure," according to an article published last month
    in el8's online magazine.
    
    While the authors of el8's e-zine have an obvious penchant for
    tongue-in-cheek hyperbole and black humor ("Going to Defcon or
    Blackhat? Initiate a napalm strike," urges one recent article), most
    victims of Project Mayhem are not amused.
    
    OpenBSD co-founder Theo de Raadt, cited as a top el8 target, angrily
    refused to discuss the compromise in late July of a file server
    maintained by the open-source, Unix-based operating-system project. On
    Aug. 1, a dangerous Trojan horse program was discovered amid the code
    for OpenBSD, which is used by thousands of organizations and renowned
    for its security.
    
    While de Raadt wouldn't comment on whether there were any suspects in
    the case, the lead article in the latest el8 newsletter, published in
    early July, contains an obvious smoking gun. The article begins with
    several lines of screen-display from what appears to be an OpenBSD.org
    system. The "w-command" output suggests that attackers had access to
    one of de Raadt's accounts.
    
    According to Steve "Hellnbak" Manzuik, co-moderator of the VulnWatch
    security mailing list, hacker feuds are nothing new, and Project
    Mayhem isn't the first time that security professionals have been
    attacked by "script kiddies," or inexperienced hackers.
    
    "The only real difference is that the el8 guys are not script kiddies.  
    Nothing has changed, other than the bar has been raised," Manzuik
    said.
    
    Much of Project Mayhem's modus operandi appears borrowed from
    Hollywood. The group's newsletter cribs heavily from the 1999 movie
    Fight Club, starring Brad Pitt and Edward Norton, which depicts
    disaffected young males who find release in punching each other out
    and contemplating the complete and total destruction of society.
    
    "They are referencing it constantly. They're like a copycat of the
    movie, only moved to the hacker scene," said Thor "Jumper" Larholm, a
    white-hat security researcher with Pivx Solutions.
    
    Indeed, some of Project Mayhem's recent victims appear to be honoring
    a recurring line in Fight Club: "The first rule of Project Mayhem is
    you do not ask questions."
    
    Shane "K2" Macaulay, a member of a hacking counter-attack think tank
    called the Honeynet Project, had several recent e-mail conversations
    with Honeynet founder Lance Spitzer, as well as other colleagues,
    intercepted by hackers and mockingly reproduced in the latest el8
    zine. Macaulay declined interview requests.
    
    Other Honeynet members refused to comment on el8's published threats
    against their project, although one Honeynet participant conceded that
    "there are people in the movement that may be able to make some of
    their claims come true."
    
    Why so much venom against white hats, the hackers who ostensibly break
    software in order to help make the Internet safer? The el8 zines don't
    clearly spell out the group's motivations, but Project Mayhem appears
    to be a violent incarnation of the "anti-sec" movement, a campaign to
    persuade hackers not to publish information about the security bugs
    they uncover.
    
    "Why be targeted by us when you can join us? Why post info, codes, or
    bugs when the end result is your entire system, family, and friends
    being owned? Doesn't it look like more fun to be a black hat than a
    white hat?" asks el8 in its latest newsletter.
    
    According to Eric "Loki" Hines, founder of Fate Research Labs, el8
    members are frustrated by white hats who spill the beans about
    security vulnerabilities, thereby enabling vendors to create patches
    and protect users.
    
    "You've got to realize that these people are walking around with
    exploits that vendors haven't even heard of yet. They're pissed and
    they've got this almost God-like power that enables them to break into
    any network that they want," Hines said. He reported that FateLabs.com
    was knocked offline last week by a denial-of-service attack
    immediately after the security firm published an advisory about a
    security bug.
    
    Mark "Simple Nomad" Loveless, a senior security analyst with Bindview
    Corporation, said el8's stance is just an extreme version of that
    shared by many disillusioned hackers.
    
    "The commercial security industry is feeding off of white-hat hackers,
    and with the amount of fear, uncertainty and doubt being slung in the
    industry, I am not surprised by this feeling from el8," Loveless said.
    
    One recent Project Mayhem victim says being attacked by el8 "made me
    realize the errors of my ways." Christopher "Ambient Empire" Abad, a
    security expert with Qualys, confirmed that excerpts of e-mails and
    other files stolen from his directory on a server were published in
    el8's latest zine. A message in the newsletter announced that a CD-ROM
    of his files would be available for purchase at the Defcon hacker
    convention.
    
    "Not all that glitters is white hat," said Abad, whose new website
    includes a message that says "Support Hacker Reform ... The rights of
    the people come before the rights of the corporation and the
    government."
    
    Other hackers said they are sympathetic toward Project Mayhem,
    although they were quick to distance themselves from the recent
    attacks on white hats.
    
    Members of one group, which has recently taken over an Internet relay
    chat channel named #phrack, last week co-authored a mission statement
    saying that white hats will be "hunted down" if they continue to
    publicize information about security bugs.
    
    "If they do not change they will continue to be targeted, and it sucks
    to get owned, fired, physically beaten," said the #phrack manifesto,
    which was posted, along with the contents of Russell's home directory,
    at the website of one of the #phrack channel's operators, a
    16-year-old who uses the nickname "gayh1tler."
    
    But Hines said the constant threats he receives from angry black hats
    will not frighten Fate Research Labs into sitting on vulnerabilities
    it discovers.
    
    "One of these days, these kids are going to have to pay a mortgage and
    get a job. And they're not going to become lawyers or doctors --
    they're going to do what they're good at. And that means getting a
    career in the security industry," Hines said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 05:32:34 PDT