The Anatomy of a Security Breach

Without going into too much detail, there is a guy who the security industry collectively hates.  When you hear a statement like that, the happy parts of our brains think this guy must be an underdog.  He must be awesome at what he does, and the big corporations hate him for it.  Or maybe he’s a world-renowned  hacker that nobody can catch.

Suffice to say, neither are the case.

Earlier today it appears that Greg Evans of LIGATT was, for lack of a better word, pwned.  His twitter account was broken into, his email was ransacked, and by the looks of it, his reputation has been ruined.  I think it’s time to look into how and why this happened.

Side Note: I have zero affiliation with whoever broke into his accounts and stole his data.

The Impetus

Before going into the how, it might help to explain why this happened.

[My opinion doesn’t necessarily reflect that of the attackers, nor does the opinion of my employer.  This is strictly an interpretation of the messages]

Good people get hacked.  It’s a fact of life.  Bad people get hacked.  It’s a fact of life. 

Part of this attack left a note explaining why all of this happened, and explained the contents of the data.  You can find the original post to this from his twitter account.

As it happens, the people who did this see it as retribution for all the things Evans has done in the name of the InfoSec industry.

"Do not meddle in the affairs of hackers, for they are subtle and quick to anger"

The first argument being made is that he tries really hard to be a major representative of the industry.

He's been on TV, he's been on radio, he's trying to draw as much attention to himself as possible.

This I would argue isn’t too much of a problem.  The industry needs spokespeople.  However, it goes on:

This man in no way represents this industry. […] He's gone after people at their home to intimidate them and their family. He's gone after them at their work to discredit them with their employer. And as everyone knows, he recklessly sues anyone who speaks negatively of him on the internet.

Nobody likes it when someone says something mean about you, or when they correct you in public.  However, sometimes it happens.  We are all sometimes wrong.  Evans doesn’t appear to agree with that statement, and will try to sue or slander anyone who disagrees with him. 

Don’t poke the bear.  It pisses the bear off, and gets you attacked.

Especially when you have a secret or two to hide:

Finally, to Gregory D Evans: it is done. All your lies are out in the open. Your investors will know. Your lawyers will know. Your employees will know. Your mother will know. Your lovers will know. Just step away and move on. Stop the stock scams. Stop the lawsuits. Stop the harassment. Stop robbing your employees. Stop embezzling. Stop deceiving every person in your life.

If you were someone who wanted to take justice into your own hands, I guess this is reason enough.

So how did this breach happen?

The Attack

It looks like an inside job:

To the brave soul who helped make this possible: thank you. You took great personal risk to bring this information forward, and none of it would be possible without you. It's unclear how you tolerate his lies day after day, but you've redeemed yourself by supporting this cause.

i can only speculate, but there are two-and-a-half basic ways this could have gone down.

  • Insider has administrator access to email servers and downloads the contents of Evans’ inbox
  • Insider gets Evans’ password and downloads the contents of the inbox
  • Insider gives administrative access to attacker and does one of the first two things

Once they had the contents of the email they had to get access to his twitter account.  This leads me to believe that the insider had administrative access, because they could then reset the twitter account’s password and catch the reset email before it got to the inbox.  Seems like the simplest approach.

Either that, or Evans used really weak passwords.

Once the attacker had their package, they just needed to distribute it and the message explaining their actions.  From his twitter account they posted the anonymous message to pastebin.com:

[…]

Enough is enough. He must be stopped by any means necessary. To that end, at the end of this message is a torrent of the inbox of [Evans’ redacted email address]; the only condition of receipt is that you not talk about the spool or this email release on twitter until after you have the full copy and are seeding it. He may be an idiot but his staff watch twitter for any mention of him, and it's imperative that this file be distributed as much as possible before takedown begins.

[…]

The message had a final, succinct message:

Happy Birthday Mr. Evans
[Redacted link to torrent]
archive password will be released shortly

I haven’t downloaded the torrent, so I don’t know what’s in the package.  I suspect the contents will be publicly disclosed shortly on a number of anonymous sites once there are enough seeders.

This could potentially just be a hoax.

The Fallout

Lots of people get hurt when security is breached.  In this case, quite a number of people will have some of their most private information disclosed.

Contained within his inbox is personal information of many, many people. Social security numbers, bank account routing numbers, credit reports, and other reports by private investigators. It was completely impractical to redact all of this information in any effective manner […].

Some people say that justice comes at the price of people’s privacy.  The attackers feel guilty about this:

This release immediately follows with a small regret. Apologies much be given to all the bystanders, innocent or otherwise. […] and for that: sadness. If in your search through this release you find personal information, please contact the person and notify them.

They also don’t have much faith in the likelihood of Evans properly disclosing the breach:

Even when GDE finds out of this breach, it's quite unlikely that he will follow proper breach notification procedures.

Once enough people have downloaded the torrent and started seeding the content, there isn’t any real way to remove the data from public access.  That means every one of those SSN, bank numbers, credit reports, and whatever else is in the archive will be publicly available for the foreseeable future.

Conclusion

Breaches occur all the time for reasons of profit.  This particular breach on the other hand was done in the name of justice and retribution.  While the motives may be different, the moving pieces work the same way, and there are still three basic parts to a breach: the motive to do it, the attack itself, and the fallout after the attack.

Hopefully everyone learns a little something from this particular breach.

My guess is that Evans will.