Technology

SourceForge Hacker: Nothing Personal


The self-identified culprit behind last month's attacks on Apache.org and

VA Linux's SourceForge and Themes.org web sites says he has nothing

against the open source community -- he just thinks computer cracking is

too easy.

In an online IRC interview, the cracker known ominously as "Fluffy Bunny"

characterized his attacks as a strike against public disclosure of

security holes. "i hack, dot slash or whatever you might want to call it,

i do not write my own exploits, i use other people's stuff, and no im not

anti-open source, i am however anti-sec. i support the anti-disclosure

movement among the computer and network security communities," Bunny

wrote.

Of Fluffy Bunny's recent victims, only VA Linux's Themes.org site is

still down, closed for "technical problems." The company says it cannot

comment until an investigation is completed.

The Apache Software Foundation is more forthcoming with information, and

has posted a

Detailed account of the Apache.org security breach.

According to the report, a Trojan horse implanted in SSH on SourgeForge

resulted in the compromise of an Apache developer's login ID and password,

when he logged on from a SourceForge shell account on May 17th. That

evening, Apache.org administrators discovered during a routine file

integrity check that their own SSH client and server -- and other

executables as well -- had been infected with Trojan horse code. The

organization immediately secured the site by restoring executables and

clearing all existing passwords.

Administrators have since verified that none of the Apache source code was

compromised, though the foundation will not provide a full report until

all investigations at the sites involved are completed.

Pat McGovern, head of SourceForge security, admits the site was

compromised, but he told reporters that the break-in was discovered less

than a week after it occurred.

Fluffy Bunny says that's wrong.

Sniffing Bunny

Shortly after McGovern's comments were reported, Themes.org, also a VA

Linux site, was defaced by the cracker, who used the hijacked site to

take responsibility for the earlier break-ins, and to ridicule McGovern's

claims. Fluffy Bunny asserted that he had access to SourceForge, not for a

week, but for over five months.

In the defacement, Fluffy Bunny also said he'd cracked Exodus

Communications, an ISP, and Akamai, an Internet content delivery service.

Fluffy Bunny backed up his claims by providing what appear to be user IDs

and passwords from all the sites.

Asked about Fluffly Bunny's claims, Akamai responded with a vaguely worded

statement: "Akamai was aware of a document posted to a popular Web site

discussing a compromise to Akamai's internal business systems. Akamai's

security team responded immediately to remove any vulnerabilities that

this may have caused. At no time were the Akamai content delivery

network, Akamai's customers, or partners impacted in any way. The

situation was and is completely under control."

In Thursday's IRC interview, Fluffy Bunny confirmed that Akamai has

secured its network.

The cracker also explained how all the recent compromises were related.

The common link: a packet sniffer Fluffy Bunny put in place on Exodus.

"There was a sniffer on exodus yes, but there are sniffers everywhere,"

Bunny wrote.

With the sniffer, Fluffy Bunny captured logon IDs and passwords for other

sites, then installed Trojan horses at each new site. Exodus declined to

comment on Fluffy Bunny's claims.

Fluffy said that he did not write his own exploits, he merely took

advantage of known bugs with existing exploit code. The cracker said he

works as a contractor in the field of security, and perhaps it is the ease

of cracking so many sites using nothing but published exploits that makes

him support the "anti-disclosure movement."

Asked if he considered himself a White Hat or Black Hat, he replied that

the term "grayhat" might be better, adding that "no one can be truly a

whitehat".

It should be noted that the IRC interview was arranged by following

contact instructions left in the Themes.org defacement, but that doesn't

rule out the possibility of a Fluffy Bunny imposter.

Before he could be asked to provide a verifiable bit of unpublished

knowledge of the recent cracks, Fluffy Bunny suddenly had to leave. He

missed an appointment to continue the interview an hour later. The IRC

channel contained a number of nicks familiar to those who have viewed his

defacements: Apache, torn, and Danny-Boy, for example. While proof of

his identity remains elusive, none of the victims of his cracks are

stepping up to refute his claims. By Joe Barr


Burger King's Young Buns
LIMITED-TIME OFFER SUBSCRIBE NOW

(enter your email)
(enter up to 5 email addresses, separated by commas)

Max 250 characters

Sponsored Links

Buy a link now!

 
blog comments powered by Disqus