Cryptome Defaced and Archive Deleted in Public Attack
Cryptome.org has provided a means for the distribution of otherwise restricted information on the internet for over a decade, but it hasn't come without risk. It may not be as well known by the public as the more recent WikiLeaks, but it has been hosting and distributing documents related to freedom of speech, cryptography, spying, surveillance, intelligence, secret governance, and national security for much longer.
Earlier this year the site was temporarily taken offline by a DMCA takedown request issued by Microsoft for publishing of internal Microsoft documents, but was soon back online. Less than a month later the site had its PayPal account locked, in response to what appeared to be suspicious donations made to assist the upkeep of the site.
Over the last weekend, the site was compromised by unknown attackers (despite the announcement on the front page, it is not believed those hackers were responsible for the attack) and the front page was replaced with a fairly standard web defacement.
Website defacements are one way that different groups of hackers can demonstrate their technical skill, and the closer the defaced web page is to the top level of a site, the greater the level of skill required to pull off (or luck in finding an under-protected site).
Accompanying the defacement to Cryptome.org was the deletion of the accumulated archives of documents that the site has published over the years. Amounting to more than 50,000 files, and approximately 7GB of data, this initially appeared to be an extremely serious problem. Fortunately, the site's operators had maintained a reliable backup of the site and were able to effectively reconstitute the site once they regained control of it, losing the most recent two days worth of submissions.
Rather than exploiting a weakness in the website software to deface and delete the site, the attackers were able to take complete control over one of the site's main email accounts, then used that to access and control the site's maintenance account at their hosting provider. From there, the attackers were able to act with the full rights of the site operators, which is what they appeared to be to the hosting provider. Claiming to have used nothing more than social engineering, the attackers were able to take full control over the site.
If the attackers had used a little more caution in their attack against the site, the compromise could have gone undetected for far longer than it did, though the public defacement and deletion of the site is quite a public way of demonstrating that they had access.
6 October 2010
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.