I’ve been trying to trace through the “spaghetti reconstruction of ‘the hack'” that Bob is writing at SkS (titles “A Hack By Any Other Name” I-VI ). The table below has my timetable as best I can figure it out. I have not interlaced any of our discoveries of hackers enjoying themselves at John Cooks old sites (where someone might have practiced.) The badly formatted table below is my first attempt to put things in order; there could be mistakes. I consider this a ‘work in progress’ and will edit.
Notice most of the interesting stuff is on Feb 21– and published in part VI. Earlier parts are more discussions of the panic and confusion a month later in March when the contents of the forum were disseminated.
At this point, hack seems much more plausible than leak. Possibly, if we had all know just how pathetic security at SkS was, everyone would have thought ‘hack’ more plausible. But who would have dreamed that anyone could develop and implement a site that with security this poor.
For now, here goes.
| March |
The “Wayback Machine” crawler visits uris with filenames matching pattern used by SkS for their SQLI ‘log’ file. (That is: it somehow “knows” to try to visit uris with the ‘pattern’ http://skepticalscience.com/lots/year_mon_day.txt.
|
|
| Feb 21, (Feb 20, |
Part |
Bob Lacatana tells us “The German” “first hacked his way into the Skeptical Science web site” SkS using Tor Browser, or at least Tor. (IP not provided. Method of entry not stated). |
| Feb 21, |
VI | Details about what happened at 6:52 am are provided in Part VI
Someone visits the http://www.skepticalcience.com Someone with the same user agent but different IP loads (i.e. GET) www.skepticalcience.com/register.php. That’s SkS’s normal registration page (and still exists. It’s the page with the ridiculously bot-solvable captcha based on uri www.skepticalscience.com They visit register again…. This time posting (i.e. POST). Note: I would never let someone using TOR “POST”. The visitors is shown the ‘confirm’ page and apparently assigned the id 6304. Note: this is a ‘GET’. Possibly, ‘dieter’ returns after getting a confirm code by email? This is a POST. Note: even now this does not appear to be any sort of “hack”. It’s just someone registering using SkepticalScience.com’s ordinary registration tool, and then ‘confirming’. SkepticalScience requires people to do this before they can comment. Now: Lacatana tells us
This is starting to look like “a hack”. The visitor is doing stuff one would pretty much know they aren’t “supposed” to do, and in particular is trying to escalate privileges. Note however: the fact the user does this immediately suggest the visitor already knew or strongly suspected that the “cookie” method would let him in. (Given the extensive discussions by hackers practicing their skillz on John Cooks old cartoon site, it may be that he guessed based on that.) |
| 07:49:01 |
VI | Less than half an hour after ‘first’ breaking in, User 6304 visits, he successfully changes into user 1 (John Cook). This was done by editing his cookie to tell the server he was John Cook. The handy “cookie” method of identification was conceived of and programmed by John Cook. Anyway, these seem to be the logs showing he succeeded:
Lacatana writes
In other words: It took ‘dieter’ all of 10 minutes to try the cookie method, notice the ‘problem’ and figure out how to use the vulnerability John Cook has programmed into the system for logging into the “super-secret” forum and escallating his privileges to “super user” or “admin”. The reason this could be done quickly is that the security at Skeptical Science was utter crap. Not only did it share vulnerabilities common to many forums (e.g. “timthumb” type vulnerabilities for image uploads) but it has specially purpose vulnerabilities coded by John Cook. Beyond that, they have no traps to slow anything down. (No whitelisting for IPs in admin– which could have excluded this guy from ‘admin’ even if he’d changed his cookie. No blocking Tor from admin. No blocking administrative or author-only features from entities that leave blank referrers. It was just wide open.) |
| Feb 21: |
Part |
Already in admin and having managed to locate the image upload form:173.254.216.67 www.skepticalscience.com - [21/Feb/2012:09:15:35
|
| Feb 12 |
Looks around a bit, possibly learn something that gives him confidence the image upload form shares the well know “timthumb.php” vulnerability and uses it to upload ‘temp.php’.74.120.15.150 www.skepticalscience.com - [21/Feb/2012:09:33:52 +1100] "POST /admin_moderate.php?
Tests to see if temp.php (which it is): He later uploads “temp2.php” and “temp3.php” giving him lots of toys to play with. |
|
| Feb 21: |
Visit to /logs file199.48.147.37 www.skepticalscience.com - [21/Feb/2012:10:07:41 +1100] "GET /logs/2012-02-21.txt HTTP/1.1" 200 3661007 "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0" "PHPSESSID= [...]Looks like no referrer. Note after writing this, Bob says “they were all Tor relay nodes”. Really? Relay nodes? Not exit nodes? |
|
| Feb 21, |
Based on referrer seems to be looking at logs: 173.254.216.66 www.skepticalscience.com - [21/Feb/2012:12:07:29 +1100] "POST /images/temp3.php HTTP/1.1" 200 5534 "http://www.skepticalscience.com Lacatana diagnoses this as “he truncated first the day’s SQL injection log file”. |
|
| Feb 21 |
It’s Feb 21, 2012. I guess they keep database backups forever. Anyway, he pokes around more, manages to find a file containing the credentials for accessing the database, adds those to a program he uploaded and then snags the database. Then he cleans up some traces. That pretty much looks like how he did it– though later he visits again and repeats. |
|
| Feb 22 |
Wayback visits SkS private forum and reads a thread. These addresses seem to end with “thread.php”.
|
|
| Feb 22, |
– | The Wayback Machine visits the secret SkS forum.
|
| Feb 23, (Feb 22, |
Part |
Lacatana writes
According to Lacatana, during this visit, “The German” poked around doing a lot of things on the admin side of the forum. He created a user named “francois”, uploading a file called ‘f2’, read some forum entries, made himself a full directory listing– including one of the /logs subdirectory– made the forum publicly accessible changed moderation controls on the directory listing, uploaded a file called ‘un’ which when run deleted ‘f2’ and itself . We are not told how “The German” hacked in on this day. (Possibly by reading a file in the /logs subdirectory, finding the admin name and password and entering those.) Note: These activities if they occurred would sound like what people who are not specialists call “hacking” but some specialists might call “cracking”. In any case, if done by someone who is not authorized to fiddle around on the ‘admin’ side of the forum, they sound like someone doing things he would perfectly well know he ought not to be doing. |
| 23 Feb 2012, |
Part |
John Cook tells the SkS private forum
|
| Feb 25, |
Part |
‘The German’ evidently returns using Tor. Bob Lacatana writes “The slowness of the Tor connection meant that it was several minutes before he could start work.”. (I’ve used Tor. It’s slow but it ain’t that slow.) He evidently visited the /logs directory and began downloading.
Note: Assuming these are .zipped, these files are huge. Next
He read stuff of interest to him, then looked up Dana’s entry in the user table and left. |
| Feb 25 | PartIII | look at the database user entry for John Mashey |
| Feb 27 | Part |
he downloaded a SQL injection log file, the smaller, zipped version for February 26th |
| Mar 5 |
Part |
“First, he grabbed the zipped log file form March 3rd. It took a full forty minutes to download all 6.8 megabytes via Tor” “uploaded another program that he had written, one named “u1â€, tried to run, it, had to fiddled a bunch, uploaded again, finally got it to work. U sing u1 he downloaded the zipped database afterwhich he uploaded “u2” which he used to delete u1 and u2 itself. |
| Mar 10, |
Wayback appears to visit SkS forum thread (thread.php?t=2201&p=18351 ) and is presented login page. (Note: I’m not sure this was the private forum. But my impression is ‘thread.php’ indicates an attempt to visit the private forum. Here, it would appear the software presented the login page in response to the request.) |
|
| 10:41 PM, |
Part |
“Anonymous” leaves a note at Tom Nelson’s blog. Among other things that file mentions a database logs and some files, including specifically mentioning two ‘.zip’ files
|
| March 24, |
Part |
Lacatana visits SkS forum and reads note indicating that Grypo says SkS has been hacked. |
| Mar 23, |
Bob Lacatana reads contents of “.zip” file. He doesn’t say which ‘.zip’ but based on narrative, it appears Bob means the “.zip” file from the “.ru” site. Bob reports that the contents of that ‘.zip’ file appeared similar but not identical to SkS’s private forum. Differences included use of users full names, their emails and IP addresses. | |
| Mar 24, |
Part & III |
SkS forum members speculate about ‘hack/leak’ in private forum. It’s clear “Anonymous” or whoever gave the files to Anonymous who posted at Tom Nelson’s had access to lots of stuff.
John Cook reveals existence of what appears to be the ‘/logs’ directory to SkS members. (This appears to match the directory visited by the Wayback in 2010.)
In part III, Lacatana tells us:
Of course we can see from a 2010 screenshot from the Wayback that someone could easily be aware of this /logs directory and files inside it as well as the naming convention for the files themselves.
Of course there would only be a string of 403 and 404 responses in their error logs if something or someone had guessed numerous incorrect or forbidden uri’s. If the visitor guessed correctly– as they might by examining the pattern of uri’s recorded at ‘The Wayback’ there would not have been a long string of “404” or “403” errors. Rather, SkS investigators would have seen “200” in their access logs everytime something visited and downloaded the file. Equally importantly, if SkS investigators have saved all their error logs back to 2010, it seem to me they should have seen the ‘404’ recorded when the Wayback visited a deleted .txt file back in 2010. Bob reports no such error. He also doesn’t report the successful (‘200’) access to a forum thread by the Wayback in February and doesn’t mention what might be a successful (‘200’) access to the login page on March 10, 2012. The way this reads, it appears this file would contain every command used to modify the database on the date associated with its time stamp. So the one for ‘2012-03-21’ would presumably contain all queries submitted on 3/21/2012. Presumably the log for 2010-03-11.txt visited by the wayback in 2010 would have contained all the queries submitted for that day. This suggests that a vigilant snooper might have obtained all queries required to reconstruct forum discussions from at least March 2010 until the /logs file was closed. |
| Mar 24, |
Part |
Bob Lacatana’s belief at that time, and when writing Part II was
This belief was mistaken as “The Wayback” machine had crawled to the forum on February 18, 2012. The Wayback itself must have learned the existence of the forum and anyone visiting The Wayback to search the history of SkS files could have learned the existence of the forum. Beyond that: often people learn of the existence of uri’s from referrers. So unless SkS was very clever, many might have learned of the existence of the forum from their referrers. |
| Mar 24, |
Part |
Bob Lacatana’s belief at that time, and when writing Part II was
|
| Mar 24, |
Bob doesn’t mention whether the Texas IP corresponds to the Wayback Machine which took a screen shot of thread.php?t=2094&r=8 and no longer presented login page. This would seem consistent with visiting after the forum was closed. |
|
| Part |
Discussing the ‘hack/leak’ Bob Lacatana continued
In fact: the more than a ‘handful” of logs had been made available. Logs had been made available since at least 2010, spanning the entire history of existence of the SkS forums. And as Brandon pointed out: the fact that the /logs began in 2010 doesn’t mean that data from 2007 couldn’t have been uploaded. It’s entirely possible that at some time between 2010 the admin had uploaded a back up for the “user” table in the database doing so by submitting queries. Had someone done this, the entire user table would have been made available through the ‘logs’ file. We don’t know if an admin did do that, but not only not impossible, it’s not even improbable. |
|
| Mar 25, |
The Wayback visits the SkepticalScienceLogs directory looking specifically for the March 21, 2012 log. |
|
I’ll be adding more to this timeline when VII (or more) are posted.
Worth exploring:
https://web.archive.org/web/*/http://www.skepticalscience.com/forum.php*
Shows Wayback was “aware” of forum page. Snapshots of forum.php are of login page.
and
https://web.archive.org/web/*/http://www.skepticalscience.com/topic.php*
Shows web.archive visited “topics” page.
Snapshots from 2010 are of login page.
and:
https://web.archive.org/web/*/http://www.skepticalscience.com/thread.php*
I think it’s hilarious Bob Lacatena says nobody could have known about the forum without having the right permissions. When I found the images directory that had their Photoshop projects in it, it was at the new location for their forum. I found that page without even trying. I was given the URL for it in a Skeptical Science post.
The reality is knowing about that forum wasn’t difficult. Anyone who was interested enough in Skeptical Science could have found out about it.
Skeptical Science may like to portray this hack as them being targeted by a skilled hacker or whatnot, but the reality is this could have been done by any script kiddie. I’d wager the only reason Skeptical Science didn’t get hacked more often is its security is so stupid nobody could anticipate it.
It’s like a bank that shuts its vault but doesn’t lock it.
Your right hand box,with the comments, are cutting off words. I’m using an iPad Air.
This says a lot about their thoroughness and attention to detail.
Brandon
More like a bank that doesn’t lock the vault, and then the owner decides the door is too heavy to pull, so he puts in a ‘secret’ back door that lets people enter from the loading dock and then post directions about various entrances in a broom closet that “only he and the janitor use” and then tells people in the front office to admit anyone who presents them with a paper that says “I am John Cook” into the room with access to the vault and….
The pileup of ‘back doors’, ‘secret entry methods’, ‘fake captchas’, ‘fake credentials’ permitted by that site was amazing
The fact that Bob can write stuff as stupid as this
It’s “no wonder”? John wrote a ‘registration’ method whose only function appeared to be to:
1) demand or request peoples ‘private information’ (i.e. email, name) to have the right to comment and
2) possibly slow down garden variety spambots.
Note– I say ‘garden variety’ because as far as we can tell, someone could still write a script that read the uri of the captcha, notice the ‘code’ and mass enrolled members using throw-away email addresses. And then they could spam the heck out of that site.
But apart from the spambots: later when creating a “secure” or “private” site, John Cook didn’t even think about security. This has nothing to do with the site “exploding with new functionality”. Lots of stuff at the site does not need much security. The trend calculator? The various pages to answer ‘skeptic arguments” and so on? But he added this one thing that needed “security”, and did nothing to secure it.
He didn’t even think about it.
And the SkS group persists in thinking that “private” site which leaves referrers in other peoples logs, somehow was “unknown” to other people and that somehow this “obscurity” would provide “security”. What. Bunk. Of course people knew the forum existed!
The big question is: Why did the guy wait a month to ‘leak’?
I wouldn’t be too critical of Skeptical Science for having bad security if that’s all there was to it. Lots of sites have bad security. Lots of people don’t understand it. It’s bad, but it’s not that remarkable.
My problem with Skeptical Science is it pretends to have good security, and it makes excuses for whatever mistakes it admits. You never see them just say, “Yeah, that was a boneheaded mistake.” Instead, when I found a publicly accessible directory with some embarrassing images in it, Rob Honeycutt said I hacked them.
That’s what bugs me about this. Any knowledgeable IT person should laugh at the things they say. They’re pretending to have far more knowledge and skill than they actually have. Given I know they do that in a field I know a lot about, I have to assume they do it in fields I don’t know a lot about.
On a related note, Skeptical Science is a fairly popular site. If they wanted help with security, they could just ask. They’d get a number of people willing to do it for free. The fact they don’t is disturbing.
Lucia,
I’m going to be chuckling about this the rest of the day, thanks!
Brandon,
I agree lots of people have bad security. I can’t even say I’m unhackable: I assume that I could be hacked if someone tried.
Part of the problem is that John Cook seems to want to implement all “invented here” methods and didn’t reveal them to the volunteers who jumped in to delve into the hack until after the fact. And as you observe, they don’t comment that something was a boneheaded mistake. The fact is: It was a boneheaded mistake to use a “Cookie” method that massed nothing more than the user ID. Had the cookie method even passed a hashed password and user name, that might have been better since in that case, the hacker would have to guess a password. But just the ID?! It’s a wonder they weren’t hacked sooner. (And for all we know, they were.)
(In)Competence does not appear to scale with size:
Target Ignored Data Breach Alarms
Brandon Shollenberger.
Once it is observed that they will pretend in some areas then my overall focus on them would change in every area.
It would make me most interested in and be more critically focused on why they are saying the things they say on any subject instead of what they say on any subject.
My focus shifts to ulterior purposes they could have to pretend across the board.
Harsh? No, I think not, given the potential impact of the science discussed.
John
The sksforum.org sends a page whose html reads
This is sort of funny.
If you create an address like this:
http://www.sksforum.org/thread.php?t=10640&p=105410
with a really big number after p=
The sksforum.org sends a page whose html reads
<html>
<head>
<script type=”text/javascript”>
<!–
window.location = “”
//–>
</script>
</head>
<body>
<a href=””> </a>
</body>
</html>
You get a sort of “blinking blank pages” phenomena until you stop the window.
(If you are wondering how I found this, I added a ‘0’ after http://www.sksforum.org/thread.php?t=10640&p=10541 which forwards to DavidAppels blog.)
You get a sort of “blinking blank pages” phenomena until you stop the window.
(If you are wondering how I found this, I added a ‘0’ after http://www.sksforum.org/thread.php?t=10640&p=10541 which forwards to DavidAppels blog.)
By the way– do not cut and paste that javascript anywhere! It’s an infinite loop.
” The handy “cookie†method of identification was conceived of and programmed by John Cook”
That made my day.
here is an inner forum page captured by wayback – 23rd February 2011
https://web.archive.org/web/20110223175331/http://www.skepticalscience.com/thread.php?t=472&r=1
Further to the conversation about sev.com.au being a site frequented by hackers for SQLI injection practice…
http://ferdjioua.algeriaforum.net/t5559-topic
On the thread about my comments, Neil J. King (a Skeptical Science team member) made a laughable mistake.
He dug out his old physics book and used a few equations about energy distribution among molecules, but they were equations that did not take into account the force of gravity. That was the very thing we were talking about, namely how gravity brings about an autonomous thermal gradient (aka lapse rate) in any planet’s troposphere.
So Neil King wrote about how he “can calculate the number of visitors in both directions (and in particular, a molecule that starts out with “normal†speed at 0 and ends up with “cool†speed at z; and the reverse), and they are equal.”
Well, Neil King, you seem to have forgotten that “0” is a lower level than “z” and that good old gravity slows things down a bit when they go up. It never accelerates them upwards – just downwards Neil King.
Awesome! It was fun to gain access to the SKS site thanks to a very smart hacker. I won’t tell you who he is. He can claim the credit or continue to lurk in the undergrowth.
I advised SKS that their security had failed by sending them this link:
http://www.gallopingcamel.info/docs/DeletedCamel.doc
SKS fixed the problem by archiving the relevant files but they are still vulnerable.
SKS is a pathetic joke. Don’t waste any more time with losers like Jon Cook and Dana Nukeatelly.
Phew. Just finished reading part 7. Blah, blah, blah….
I guess article lift-out quotes are normally the job of an independent editor (non-author).
Assuming in this case though that Bob is his own editor, we have Bob deciding to lift-out himself writing “I was ready to send the FBI after him…”. That seems incredibly pompous to me – ego milking his moment in the sun.
If Batman was a climate crusader…
“The hacker put a lot of time into this — time that might have been better used studying and understanding the science of climate change.”