The most interesting thing to me was the evidence posted that other hackers had already penetrated these systems, which I guess goes without saying when you have little to no security in place.
Many many years ago when I was younger and playing with buffer overflows and learning shellcode, I'm not saying that I'm proud of this either, but in my journeys I had breached a couple of online retailers, had full access to their databases and internal networks.. of course I alerted them via anonymous e-mails, but what always struck me was the amount of times that I encountered files from 'hackers' just saying that they were here or what have you. Many of them just placing files because they couldn't transverse the NAT, and others who had uploaded ftp scripts but had typos in them so the scripts didn't get deleted like they had planned. Evidence of crimes and theft laying all over the internal network for months or years, and nobody finding it.
At some point it's hard not to side with people like ghostshell, because when you're supposed to be responsible for important information, but have seemingly no interest in protecting it, at some point the system is bound to fall apart.
I'm reminded of something I read posted by l0pht, way back when, and they just said how much better they were than everyone else because they had jobs at burger king and were dedicated to spending all of their time penetrating networks while their opponents were a bunch of overpaid nobodies who hated their jobs and overall really didn't care, and that they would always win.
while their opponents were a bunch of overpaid nobodies who hated their jobs and overall really didn't care
Every sysadmin I've met cares a lot. But they get to rely on products from disparate vendors that are full of zero day exploits and helpful users who are easily socially engineered.
Yeah, I read the article and a lot of these were on open accounts with no password required. The most charitable read is they're trying security through obscurity.
I wonder if any of them have heard of VNC Roulette.
Ive seen my fair share of incompetence and apathy in sysadmin land, but it annoys me so many prople jump straight to that, when it is often management that ties hands and forces sysadmins into those positions.
IT is seen as such a money sink, that true and proper workload and therefore workforce requirments are almost never understood, much less met, so you end up with a one man miracle show sysadmin working a 40k job, always on call, who literally doesn't have the time to be proactive. If he or she brings it up with management, their work is often criticized and the budget is whined about and they are lucky to get a teir 1 helper (maybe only part time too!).
Companies dont like spending money when they don't have to, and admins are on a whole spectacularly failing to emphasize the risks being introduced to the business because of it, all while generally being overworked and paid crappily and often overtime exempt.
I ought to know, I helped start up an IT consultancy and I'd say 3/4 of the clients were picking up after a half incompetent, half apathetic admin... but often it was just because at the end of the day, the admins arent getting payed enough to care that much. So something breaks, costs $money in downtime, forces the C levels to call consultants, and end up spending more than if they had just hired a few extra good people in the first place.
So, you arent wrong, but lets not lose sight of the fact that at the end of the day it's managements job to ensure the admins are given the tools they need to succeed, and to check competence levels with metrics you font have to be an admin to understand.
They arent though, so thats why I think sysadmins ought to revolt, kick back with a scotch, and watch the world burn.
"IT is seen as such a money sink, that true and proper workload and therefore workforce requirments are almost never understood, much less met, so you end up with a one man miracle show sysadmin working a 40k job, always on call, who literally doesn't have the time to be proactive. If he or she brings it up with management, their work is often criticized and the budget is whined about and they are lucky to get a teir 1 helper (maybe only part time too!)."
This is so spot on, I'm going to ooze nostalgia for a moment:
I was the tier 1 helper brought in to help the one man miracle 40k sysadmin, way back at the start of my career. He taught me pretty much everything I know about sysopping well, skills that after languishing for over a decade still let me perform miracles to the eyes of my current SWE coworkers, and even at my prime I only had a FRACTION of his knowledge.
He kept two datacenters, literally thousands of machines, almost singlehandedly out of "being on fire". His management would have been more effective had they actually been in-abscentia, I have some fun stories about when our manager broke networking by wiring a routing loop, leaving work early after giving up trying to fix it, and leaving me there alone because "I'm sure you can get it working". (In trying to fix it, management broke pretty much all our vnets and trunking, this all started because the main sysadmin was out sick, which he almost never let happen)
I can go on with stories for days, I don't think I really had a compelling point in this other than to say working with him biased me towards good faith in sysops. It's funny to say that since the few other helpers who passed through in the years I worked with him were mostly all the terrible things you hear about incompetence/laziness, but part of me now keeps an eye out in any shop that's not perpetually on fire for the one sysadmin keeping the roof up.
To give a point for this ramble, I just want to voice out my support for those one man miracle shows, as an attempt to further thank the one who helped me so damn much, who was given so little for doing so.
To bring this back to the point of the OP, which I entirely forgot at the end of writing this, at one point we found that a keylogger had been hidden in our systems, and a rootkit had likely been proliferated. We recommended essentially a full nuke and repave, since there was very little we could do at this point to determine the extent of the compromise. Not only did management disallow us from properly cleansing some systems, they didn't even let them be taken down and rekeyed fully, making our efforts in the clusters we had full control over essentially moot. In short, sometimes a company can seem almost pathologically against good practices, despite the best intentions of those who might know better.
>I'm reminded of something I read posted by l0pht, way back when, and they just said how much better they were than everyone else because they had jobs at burger king and were dedicated to spending all of their time penetrating networks while their opponents were a bunch of overpaid nobodies who hated their jobs and overall really didn't care, and that they would always win.
>I think that still holds true today.
This'll sound a little harsh, but if you have to work at burger king to fund your living then you aren't a very good hacker.
There's no lack of opportunities for those with talent.
>This'll sound a little harsh, but if you have to work at burger king to fund your living then you aren't a very good hacker.
>There's no lack of opportunities for those with talent.
I read it more like "We choose to lead a meager lifestyle -- even with our tremendous abilities -- because working for someone would direct our efforts towards their goals rather than allowing us to pursue our own novel research which is fueled purely by passion for the subject."
Good thing places like Burger King are non-profits :-)
Though that was a different time, when you really had to get a job somewhere, and I see their point. Today of course it's easier to do just enough short-term work without a long-term commitment (Upwork, etc) to be functionally solvent without having to resort to fast-food.
But with those kinds of things, you're showing off some skill. You contribute positively to any profile which says that you have the know-how to hack in the first place.
> The most interesting thing to me was the evidence posted that other hackers had already penetrated these systems
Some 20 years ago it was common knowledge among hackers that the reason critical IT-infrastructure has not been used to do real harm was that "good" hackers locked destructive hackers out of systems they had pwned.
To me the most interesting thing is that information security is still not on the curriculum for devs. There is no fscking reason a power plant or cement plant needs a bidirectional connection to company headquarters except for saving a few bucks on skilled on-site personnel. And don't get me started on cloud-based IoT-idiocy.....
> Some 20 years ago it was common knowledge among hackers that the reason critical IT-infrastructure has not been used to do real harm was that "good" hackers locked destructive hackers out of systems they had pwned.
I was around during this time and can vouch for it. Back in the 90s there was really nothing like a computer security industry. Firewalls were things you heard about but almost never saw in practice. Systems were hooked up in ways which today would be considered gross negligence. University networks and Telenet were full of easily-accessible machines and networking equipment. One of the first times I got caught doing bad shit was on a SysV Unix system of the newspaper in the next town over. I had met another user on that system who was one of these vigilantes. He actually had caught me trying to root the box and deactivated my dialup login so that when I logged in, it spat out the motd and immediately disconnected. The message said to call a number for "support". I called the long distance number, and got questions and a lecture about my bad behavior. You know, being thirteen years old, I didn't think things through. I was just scared for my life that the cops were going to show up to my dad's house (they did later, for something different, but I digress). He was totally open about not working for the newspaper, and not being the regular sysop. He said he was another user trying to keep me from getting in real trouble.
There is a "telenet simulator" on the internet[0] that you should check out. This will give you some idea what it was like to use Sprint's Telenet system, which was a worldwide dialup network serving all kinds of juicy customers like banks, airlines, all kinds of businesses. This system had been devised and deployed long before the world wide web. Telenet had local dialups in most American cities[1]. Lots of those systems were using crap passwords, or defaults. You could use systems to dial other systems that weren't hooked into Telenet. It was tremendous fun exploring that network[2]. It was a hell of a lot of fun. Truly an exceptional time that I really have nostalgia for.
wow, this is super interesting. I have actually used telnet and the telnet simulator. i think there used to be an old bbs or game online that was before my time that was still hooked up and one where you voild telnet in and play the oregon trail.
"NoSQL, or rather NoAuthentication, has been a huge gift to the hacker community. Just when I was worried that they'd finally patched all of the authentication bypass bugs in MySQL, new databases came into style that lack authentication by design"
> The size of the downloadable cache alone puts it at one of the largest breaches this year -- but it could have been far larger, given time and resources.
> "The worst part is that this is barely a fraction of what I could get my hands on," the hacker said.
So why didn't GhostShell release everything he could get his hands on?
Presumably because GhostShell didn't want to leak every bit of accessible data, but merely a subset to illustrate that this wasn't hot air, and shame parties involved into action.
What happened to hacker ethics? Screw over 39 million people to protest the sorry state of the security of a service they have been using?
Back in the good old days one would have secured the systems instead of harming the victims again.
GhostShell, please stay away from IoT or connected medical devices, I'm afraid you'll kill people just to make a point every security professional already understands.
I agree with joof. I consider this grey tipping towards white rather than black hat. s/he basically just automated default credentials or autologin attempts, the door was already wide open and there were already numerous pieces of evidence s/he wasn't the only person to know that. If you see a door wide open a curious hacker will look.
30 comments
[ 4.3 ms ] story [ 71.4 ms ] threadhttp://pastebin.com/raw/tEX6yGX6
Many many years ago when I was younger and playing with buffer overflows and learning shellcode, I'm not saying that I'm proud of this either, but in my journeys I had breached a couple of online retailers, had full access to their databases and internal networks.. of course I alerted them via anonymous e-mails, but what always struck me was the amount of times that I encountered files from 'hackers' just saying that they were here or what have you. Many of them just placing files because they couldn't transverse the NAT, and others who had uploaded ftp scripts but had typos in them so the scripts didn't get deleted like they had planned. Evidence of crimes and theft laying all over the internal network for months or years, and nobody finding it.
At some point it's hard not to side with people like ghostshell, because when you're supposed to be responsible for important information, but have seemingly no interest in protecting it, at some point the system is bound to fall apart.
I'm reminded of something I read posted by l0pht, way back when, and they just said how much better they were than everyone else because they had jobs at burger king and were dedicated to spending all of their time penetrating networks while their opponents were a bunch of overpaid nobodies who hated their jobs and overall really didn't care, and that they would always win.
I think that still holds true today.
Every sysadmin I've met cares a lot. But they get to rely on products from disparate vendors that are full of zero day exploits and helpful users who are easily socially engineered.
I wonder if any of them have heard of VNC Roulette.
IT is seen as such a money sink, that true and proper workload and therefore workforce requirments are almost never understood, much less met, so you end up with a one man miracle show sysadmin working a 40k job, always on call, who literally doesn't have the time to be proactive. If he or she brings it up with management, their work is often criticized and the budget is whined about and they are lucky to get a teir 1 helper (maybe only part time too!).
Companies dont like spending money when they don't have to, and admins are on a whole spectacularly failing to emphasize the risks being introduced to the business because of it, all while generally being overworked and paid crappily and often overtime exempt.
I ought to know, I helped start up an IT consultancy and I'd say 3/4 of the clients were picking up after a half incompetent, half apathetic admin... but often it was just because at the end of the day, the admins arent getting payed enough to care that much. So something breaks, costs $money in downtime, forces the C levels to call consultants, and end up spending more than if they had just hired a few extra good people in the first place.
So, you arent wrong, but lets not lose sight of the fact that at the end of the day it's managements job to ensure the admins are given the tools they need to succeed, and to check competence levels with metrics you font have to be an admin to understand.
They arent though, so thats why I think sysadmins ought to revolt, kick back with a scotch, and watch the world burn.
This is so spot on, I'm going to ooze nostalgia for a moment:
I was the tier 1 helper brought in to help the one man miracle 40k sysadmin, way back at the start of my career. He taught me pretty much everything I know about sysopping well, skills that after languishing for over a decade still let me perform miracles to the eyes of my current SWE coworkers, and even at my prime I only had a FRACTION of his knowledge.
He kept two datacenters, literally thousands of machines, almost singlehandedly out of "being on fire". His management would have been more effective had they actually been in-abscentia, I have some fun stories about when our manager broke networking by wiring a routing loop, leaving work early after giving up trying to fix it, and leaving me there alone because "I'm sure you can get it working". (In trying to fix it, management broke pretty much all our vnets and trunking, this all started because the main sysadmin was out sick, which he almost never let happen)
I can go on with stories for days, I don't think I really had a compelling point in this other than to say working with him biased me towards good faith in sysops. It's funny to say that since the few other helpers who passed through in the years I worked with him were mostly all the terrible things you hear about incompetence/laziness, but part of me now keeps an eye out in any shop that's not perpetually on fire for the one sysadmin keeping the roof up.
To give a point for this ramble, I just want to voice out my support for those one man miracle shows, as an attempt to further thank the one who helped me so damn much, who was given so little for doing so.
To bring this back to the point of the OP, which I entirely forgot at the end of writing this, at one point we found that a keylogger had been hidden in our systems, and a rootkit had likely been proliferated. We recommended essentially a full nuke and repave, since there was very little we could do at this point to determine the extent of the compromise. Not only did management disallow us from properly cleansing some systems, they didn't even let them be taken down and rekeyed fully, making our efforts in the clusters we had full control over essentially moot. In short, sometimes a company can seem almost pathologically against good practices, despite the best intentions of those who might know better.
>I think that still holds true today.
This'll sound a little harsh, but if you have to work at burger king to fund your living then you aren't a very good hacker.
There's no lack of opportunities for those with talent.
>There's no lack of opportunities for those with talent.
I read it more like "We choose to lead a meager lifestyle -- even with our tremendous abilities -- because working for someone would direct our efforts towards their goals rather than allowing us to pursue our own novel research which is fueled purely by passion for the subject."
Though that was a different time, when you really had to get a job somewhere, and I see their point. Today of course it's easier to do just enough short-term work without a long-term commitment (Upwork, etc) to be functionally solvent without having to resort to fast-food.
Okay, we need proof that we were here... Okay, garbage, give me garbage.
Some 20 years ago it was common knowledge among hackers that the reason critical IT-infrastructure has not been used to do real harm was that "good" hackers locked destructive hackers out of systems they had pwned.
To me the most interesting thing is that information security is still not on the curriculum for devs. There is no fscking reason a power plant or cement plant needs a bidirectional connection to company headquarters except for saving a few bucks on skilled on-site personnel. And don't get me started on cloud-based IoT-idiocy.....
Can you elaborate, this is fascinating.
There is a "telenet simulator" on the internet[0] that you should check out. This will give you some idea what it was like to use Sprint's Telenet system, which was a worldwide dialup network serving all kinds of juicy customers like banks, airlines, all kinds of businesses. This system had been devised and deployed long before the world wide web. Telenet had local dialups in most American cities[1]. Lots of those systems were using crap passwords, or defaults. You could use systems to dial other systems that weren't hooked into Telenet. It was tremendous fun exploring that network[2]. It was a hell of a lot of fun. Truly an exceptional time that I really have nostalgia for.
[0] http://telehack.com/
[1] http://textfiles.com/hacking/telnumbe.txt
[2] http://textfiles.com/hacking/telenet2.txt
thanks for the info.
https://ghostbin.com/paste/6kho7
> "The worst part is that this is barely a fraction of what I could get my hands on," the hacker said.
So why didn't GhostShell release everything he could get his hands on?
Back in the good old days one would have secured the systems instead of harming the victims again.
GhostShell, please stay away from IoT or connected medical devices, I'm afraid you'll kill people just to make a point every security professional already understands.