Cryptome: Hacked, Defaced and Deleted
Cryptome, a site dedicated to whistle-blowing and leaking sensitive documents on the Web, was hacked this week. Its front page was defaced (there’s a NSFW image here) and, according to the site’s administrators, some 7GB of data was deleted from the server, including all of the leaked files.
According to reports, at least two different versions of the home page were uploaded during the defacing, one credited a hacker named “Trainreq” for the attack and the other credited a “RuxPin”. They both made reference to hackers “EBK” and “Defiant”, both of whom were convicted for vandalizing Comcast’s site in 2008.
Cryptome’s other accounts were unaffected by this attack as were other accounts at its host, Network Solutions. Cryptome was able to restore the site from off-site backups and get it back up and running. However, according to Cryptome, the hack points out just how insecure the Web is.
“Blocking attacks is nearly impossible due to the purposefully weak security of the Internet. Nearly all security methods are bogus. A competent hacker or spy, or the two working together, can penetrate easily.”
So are there lessons in this hack that other webmasters should take into consideration? Definitely.
How The Cryptome Hack Happened
According to Cryptome’s staff, the hack was actually amazing simple. An attacker, through an “unknown means” managed to gain access to Cryptome’s Earthlink email address and then use that to request a password for their hosting account. From there, they were able to enter the account, deface the homepage, delete the files and change the password.
Cryptome’s staff was not aware of the break in until after they realized they could not access either their email or the hosting account. It was then they began to get in contact with the two companies to straighten things out.
Even without knowing how the hacker got into the site’s email, there clearly is a great deal that other webmasters can take to heart when considering their own site’s security.
Security Lessons
Though it is unclear if Cryptome really had as insecure a set up as at someone indicated in an IRC chat (a person suspected of being the hacker), it is clear that the case does highlight some flaws in the way hosting is handled and paints a pretty bleak picture of anyone’s hopes of having a secure server.
That being said, there are a few takeaways to consider:
- Use a Separate Email: Don’t use a publicly-known email as your host contact; create a separate, private email. Check it regularly, perhaps even having alerts for it on your phone, but don’t forward it to an established account as anyone could access your email and use it to get your site information.
- Multi-Factor Authentication: This one was a goof on Network Solutions part. If the service had required multiple forms of authentication rather than just an email address to reset a password, the hack might have been mitigated. The more methods of authentication you have, the better.
- Trust No One: Cryptome has the right idea when their admins say, “We do not trust our ISP, email provider and officials to tell the truth or protect us.” The idea of an Earthlink email account being broken into, by any means, may seem far-fetched but “secure” companies are compromised every day.
- The Importance of Monitoring: Monitoring your site is more than making sure it is still up, but also to make sure it hasn’t been hacked or defaced, ensure that your monitoring service has the ability to at least look for strings of text on your site so that you’ll be alerted if any major changes take place.
- Backup, Backup, Backup: I’ve repeated this mantra many times before but if anything is clear from the Cryptome case it is that you need to keep multiple backups of your work, including as many off-site as possible. A service such as SiteAutoBackup can be a great help in this area,
All in all, Cryptome is absolutely correct that, no matter what security measures you take, someone can always find a way into your site if they are motivated enough. Human engineering, unknown exploits and multiple avenues of attack make it almost impossible to completely lock down a server. Your best bet is to close any holes you can, but mostly prepare just in case things do go awry.
Bottom Line
Granted, most of us are not running whistleblower sites that attract the kind of hostility and controversy as Cryptome. Therefore, we probably won’t be as frequent targets as sites like Cryptome.
That being said, if you keep any kind of sensitive information that might appeal to a hacker, such as financial data or other private information, you can probably be certain someone, at some point, will at least make an attempt. Likewise, if you delve into any controversy or do anything that might anger a large number of people, once again, be prepared!.
It makes sense to be prepared for such an occasion, even if you don’t think it will happen to you. The Web is a dangerous place and innocent sites often get caught in the crossfire. The best you can do know how to minimize your risk and recover should you find your account compromised.
It’s an admittedly unpleasant solution, but easily the best available on a very imperfect Web.
Discussion
What Do You Think?