It Takes One to Know One

Thanks to a bit of paranoia, attack on ha.ckers.org is fended off

Dark Reading Staff, Dark Reading

November 12, 2007

3 Min Read
Dark Reading logo in a gray background | Dark Reading

6:10 PM -- The Web is a tricky thing for me. I not only interact with it, but I write about it, break it, and study it. I have to configure my personal equipment so I can communicate with it, but there is little to no trust relationship between my desktop and my servers. Why? Because of what happened a week ago.

A week ago, two individuals known as Sirdarckcat and Kuza55 attempted to compromise one of the sites that I operate, ha.ckers.org. We later discovered that they did so without malice in their hearts -- but at the time, it was as real as any malicious defacement crew. And these two were trickier than most.

First, they analyzed our security from the outside. They knew that I and my colleagues had built certain trust relationships with the site, and that I am the one who writes the blog. They knew the blog's structure, because I use open-source software. Most importantly, they knew that I ran NoScript, indicating that I don't trust most of the Web, but I do trust a few sites.

Armed with this information, they launched a clever attack. First, they posted a link to another site on ha.ckers.org, accompanied by an interesting description. The site was actually a decoy, and it performed several functions. Inside of an iframe, it attempted to detect whether I had been to the administration pages on the site.

Once it had decided that I was, in fact, the owner of the site, the exploit used a combination of the CSS history hack, a zero-day exploit in NoScript (a Firefox plugin -- which has since been patched after Giorgio Maone heard of the attack), and an old flash file that I had posted more than a year earlier to let the attackers run JavaScript on my domain in my browser. It could have worked -- the hackers assumed that I trusted myself to run JavaScript on my own domain.

Then they performed an XMLHTTPRequest POST, to get their payload (a long writeup that they thought would be funny to see on ha.ckers.org), injected into the site. Their assumptions were almost all correct. However, I had anticipated that exact attack -- despite the zero day exploit in NoScript and the flash file I had hosted -- and made corrective measures to protect myself from the attack. I'm not going to tell you exactly how I did it, for obvious reasons.

The moral of the story is you really cannot be too paranoid with your security. Even the smallest holes in your site could allow for fairly nasty exploitation. Had I been less careful, I have every confidence that their exploit would have succeeded. Pretty scary, when you think about it.

— RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights