{"id":23788,"date":"2014-02-23T23:58:47","date_gmt":"2014-02-24T05:58:47","guid":{"rendered":"http:\/\/rankexploits.com\/musings\/?p=23788"},"modified":"2014-03-13T14:01:24","modified_gmt":"2014-03-13T20:01:24","slug":"sks-non-revelations-about-their-hack-part-i","status":"publish","type":"post","link":"https:\/\/rankexploits.com\/musings\/2014\/sks-non-revelations-about-their-hack-part-i\/","title":{"rendered":"SkS Non-revelations about their ‘hack’: Part I."},"content":{"rendered":"

Bob Lacatanae just wrote a post discussing SkS being “hacked” way back in February 2012. You know…. the hack that we are all supposed to know is hack because SkS says it’s a hack but they won’t tell use how they know it’s a hack? Well it seems Bob has just posted part I of some sort of “tell all”. I wasn’t going to pre-empt Brandon , who alerted me to the story (and has since posted at his own blog<\/a> and II<\/a>, III<\/a>). But really, this new SkS post is beyond coy.<\/p>\n

Here’s Bob telling us how much he’s going to tell us:<\/p>\n

So how did the hack happen? Again, I am reluctant to share too many details,… <\/p><\/blockquote>\n

Indeed, Bob shares very<\/em> few details. <\/p>\n

What we are told is that according to Bob’s theory<\/em>, the “hack” happened in on February 21, 2012 and was perpetrated by someone Bob calls “The German” who used a Tor browser. Other than that: at least in Part 1, readers are not provided any<\/em> information to permit one to figure out whether this theory is remotely plausible. <\/p>\n

We are also told that no one at SkS suspected or detected ‘the hack’ for month<\/em> (in Bob’s estimate). But somehow or another, when Bob logged into SkS, he saw that someone else at SkS has learned of the “hack” which, Bob tells us impelled him to “quickly followed the link supplied by grypo to a comment on a backwater pseudo-skeptic blog announcing the hack”. Though Bob does not identify the “backwater pseudo-skeptic blog announcing the hack”, I think the link pointing to the SkS files corresponding to their forum data base appeared in comments in this post at Tom Nelson’s blog<\/a><\/p>\n

The comment begins:<\/p>\n

Dear Friends:<\/p>\n

In the interest of transparency, I think you should see these files from Skeptical Science.<\/p>\n

An anonymous whistleblower has brought to my attention some database logs and other files (e.g., http:\/\/www.skepticalscience.com\/logs\/2012-03-21.zip (the current day is txt, past days zip)). These files detail everything that happens on the site, from forum conversations to user accounts. I have collated some of the data in a more readable form.<\/p>\n

http:\/\/files.molongo.ru\/en\/my\/sks.zip<\/p>\n

Why has SkS chosen to publish all this on the public internet? Is it the first step towards transparency, or a catastrophic error? This is what I first intended to ask Mr. Cook.<\/p><\/blockquote>\n

What this suggests is that someone at skeptical science was backing up the database by duplicating it, zipping the database file and storing these files in a directory called http:\/\/www.skepticalscience.com\/logs\/. (For those wondering: My database at Dreamhost lets me create a todays_date.zip file back up of my database at the touch of a button. Heck, I can instruct Dreamhost to create these and store them somewhere on the server, or email them to myself or do any number of things. If I am not insane<\/i> I make sure that I do not store these in any accessible address<\/i>, like, for example, a file called http:\/\/rankexploits.com\/logs\/ Note: I do not store my backups in an web-accessible directory.)<\/p>\n

So, somehow this ‘logs’ directory and it’s contents were found. How might they have been found? Who knows? Maybe a curious person thought, “Why don’t I type http:\/\/www.skepticalscience.com\/logs and see what happens?” Or maybe someone started typing a uri, hit return before finishing and found the \/logs directory. Or someone typed a broken link. <\/p>\n

However they might have typed http:\/\/www.skepticalscience.com\/logs, if it contained zip files and no index and John Cook has not excluded surfing to that directory with .htaccess, and had not prevented display of the directory tree, the directory tree would have displayed. (This is default<\/i> behavior of many servers.)<\/p>\n

The person who found the directory might then have been curious<\/i> abut what they saw and clicked. OMG! <\/p>\n

I would not call this “a hack”. I would not consider accomplishing this “real skill”. In fact, it might be called “an accidental discovery”.<\/p>\n

Could the “well that’s not really a hack unless an accidental discovery can be called a ‘hack'” have possibly happened the way I suggest? <\/p>\n

Well, remember how the SkS Nazi Image Files were found<\/a>? They were found pretty much the way I described above. Directory trees can display, they often do. They did at “http:\/\/sksforum.org\/image”. This isn’t rocket science. It’s the way “the web” works.<\/p>\n

\"SkepticalScience_logs_directory\"<\/a>So: in other words, the simplest theory is that someone found the logs the same way someone found all the images. Somehow someone found the \/logs\/ directory, all the files displayed and then they clicked to download. That person downloaded the files, then created a database to hold the files and hosted it on a Russian server. (This is all easy.) they later described finding stuff in the \/logs\/ directory in a comment at Tom Nelsons and pointed someone to the address that displayed the database. Not. Real. Difficult. <\/p>\n

No one at SkS has ever said anything to suggest this is not<\/i> what happened. <\/p>\n

Meanwhile, we have Bob’s theory. Does Bob give us enough information to tell whether this person he called “The German” ‘hacked in’ in February 2012? Nope. Do we know what uri’s or requests were made that permitted this “The German” to ‘hack in’? Nope. Bob intimates that an SQL injection attack occurred on the day they “think” “The German” hacked in using his “Tor” browser. Can we inspect what he did to see if that particular SQL could possibly have resulted in SkS’s server disgorging the entire contents of the database? Nope. Does Bob tell us the IP so we can check his theory that this Tor connection hacked in? Nope. (I’ve averaged 8 Tor connections a day over the past 3 weeks. I’m Tor hostile and ban them, but just try to visit the blog. Some do do weird things. The mere appearance of Tor does not mean that a hack was attempted. It certainly doesn’t mean one succeeded. One needs to know more.)<\/p>\n

Now maybe all of this will be revealed in Part II, III or even XXVI. It will turn out SkS caught “The German” dead to rights– Tor Browser and all. Bob does have some very specific dates and times<\/i> in Part I, so maybe he’s reveal something to make me believe they actually know this was “a hack”. If so: Good going!<\/p>\n

That said: until I read anything to suggest that “revelation of the SkS forum database” didn’t happen exactly in the manner that is consistent with the description in the comment at Tom Nelson’s, I’m going to assume that’s how it happened. You know why? Because the “not a hack” method of revelation totally believable and<\/i> it wouldn’t require anyone with any skills to accomplish. It would merely require us to believe that John Cook organized the “SkepticalScience.com” more or less the way he later organized “sksforum.org”. <\/p>\n

Now, moving away from “the hack”, there are a number of other funny things in Bob’s post. Turns out SkS has particularly bad password security:<\/p>\n

Sceptical Wombat at 10:54 AM on 22 February, 2014
\nOne thing I think you should stop doing is holding passwords in plain text. A better way is to use a one way encryption algorithm and to only store the encrypted password. That way you never know my password and so no one else can get it from you. If I forget my password you issue a new one and require me to change it.<\/p>\n

Moderator Response:<\/p>\n

[BL] Passwords are not and have never been stored in the database as clear text. They are and always have been encrypted, and they are never decrypted. Rather, the password sent by the user is encrypted, and that encrypted password is compared to the encrypted password stored for the user. If they match, then the password supplied by the user is valid.<\/p>\n

[BL] Correction, I just looked at the code, and passwords are decrypted in the “Forgot your password” function — but that doesn’t represent much of a security hole, because it can’t be used to breach the system, and it can only be used to steal passwords if you already have the password and so can change a user’s e-mail, or otherwise have access to that person’s e-mail.<\/em><\/p>\n

Either way, that particular flaw doesn’t represent a pressing issue, at least compared to the effort it would take to correct.<\/p><\/blockquote>\n<\/blockquote>\n

Italics mine. That Bob. Bless his heart. <\/p>\n

Mind you, those skepticalscience.com passwords are only used to prevent spam at skeptical science. But anyone who knows anything about phishing also knows that people often use the same password on many sites. Some long time email users and even some ‘security experts’ know that people who “otherwise have access to that person’s e-mail” are sometimes called “their employers IT department”. At some companies, emails are stored. That means that skepticalscience is putting their own users at risk of revealing “pet” passwords which they might be using elsewhere to their IT department. So if you have a password at SkepticalScience, maybe you should consider changing it. Oy. <\/p>\n

In the meantime, we can all wonder whether Part II will give us any information to suggest that SkS has information to show the “the hack” was accomplished with an SQL injection attack perpetrated by “The German” using a Tor browser. Maybe they will. Maybe they won’t. To Be Continued. <\/p>\n

Update:<\/b> edited to add link to Brandon’s post.
\nUpdate Feb 25:<\/b>Barry Woods found a directory listing at the Wayback machine. I took a screenshot, uploaded and inserted at the appropriate location in the narrative.<\/p>\n","protected":false},"excerpt":{"rendered":"

Bob Lacatanae just wrote a post discussing SkS being “hacked” way back in February 2012. You know…. the hack that we are all supposed to know is hack because SkS says it’s a hack but they won’t tell use how they know it’s a hack? Well it seems Bob has just posted part I of … Continue reading SkS Non-revelations about their ‘hack’: Part I.<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[134],"tags":[],"class_list":["post-23788","post","type-post","status-publish","format-standard","hentry","category-politics"],"_links":{"self":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts\/23788","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/comments?post=23788"}],"version-history":[{"count":0,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/posts\/23788\/revisions"}],"wp:attachment":[{"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/media?parent=23788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/categories?post=23788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rankexploits.com\/musings\/wp-json\/wp\/v2\/tags?post=23788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}