backtop


Print 10 comment(s) - last by wired00.. on Jan 30 at 5:38 PM


Goatse Security's homepage was briefly defaced Wednesday evening, allegedly by a disgruntled former administrator.

Goatse Sec. accuses Andrew "trelane" Kirch of being the man responsible.  (Source: Facebook)
No iPads were harmed in this incident

Goatse Security's research team has earned a name for themselves discovering a number of gaping holes in software and web sites alike.  But none was bigger than their discovery that AT&T was virtually handing out iPad users emails.  In an attempt to force AT&T to cover its hole and protect its users, the Goatse Sec shared the incident with the news, after their requests to AT&T went answered (according to the group's accounting).  And though they never released the emails they obtained in full, they now are standing trial on a variety of charges concocted by the FBI and various federal authorities [interview].

On Wednesday night, Goatse Sec's already colorful blog became even more so, when the organization's apparent falling out with a former administrator/team member resulted in their blog page being defaced and other mischief enacted.

The admin then penned a message to the Goatse team, gloating [blog]:

Dear Goatsec,

I have taken the liberty of exposing your gaping hole, and hope in doing so that I’ve given your balls a good twist. As you are a group of self-aggrandizing tw*ts, I have also contacted the media to ensure that this incident gets the coverage it deserves.

In cracking this site, I have sent specially crafted requests to the server with my browser ID spoofed to that of an iPad. Please know that while this was not instrumental in this wondrous crack, it _WAS_ poetic in many ways. I also gave Goatsec the same warning that they gave AT&T… none at all, to patch their gaping hole.
User Accounts have been deleted, and passwords changed.

AAAAAAAAAAAAAAAAAAAAAAND THE PREVIOUS ADMIN PASSWORD IS… T2!p*uje7ru*
Props to: The FBI, OseK, MadMax, mre|666, Scratch (Isuki), Sigdie, anyone who knows what Sigdie is, Krashed (because it’ll make Bratty happy to see his name on a deface page, even if he didn’t have sh*t to do with it)
F*ckoff to: LoRez (F*CK YOU), weev, Apple, AT&T, MI-5, Harry Pierce, and %$# *!&$@^@ everywhere.

That message lit up Goatse Sec's site for a couple of hours of the evening Wednesday night.  By 6:30 p.m. the site was restored to working order.

CNET entered a discussion with a person claiming to be the admin, who went by the handle #Sigdie (same as in the defaced post) on the EFnet Internet Relay Chat (IRC).  He claimed to be acting alone, and said that he is a security professional.  He states, "I felt it was appropriate to give them a taste of their own medicine. I felt some negative publicity would hopefully cool things down and force them to rethink their behavior."

We discussed the incident via email with Goatse Sec. spokesperson Leon Kaiser.  Mr. Kaiser was quoted in CNET as saying, "It appears that someone has found the root password to the Goatse Security blog. Ironically, in doing so, the person in question has broken more laws than 'Weev' or 'JacksonBrown' are accused of breaking."

Mr. Kaiser gives us more details about CNET's claim that the hacker secured a "root" password, stating, "By "root", I just meant admin on the blog's backend."

As to the accusation that the admin broke laws, he clarifies, "As for the lawbreaking comment, it was mostly sarcastic (we did not have all of the details at the time, either.)"

As to what made the former team member so disgruntled, Mr. Kaiser tells us, "We honestly have no idea what made him so angry. I suppose you could compare the incident to a disgruntled former employee stealing from a company."

Early in the morning an email from Kevin Lynne at Full Disclosure was posted, claiming [email]:

Knowing one of the people listed in the shout-outs, I told them about the props and they got back with the following statement: "After doing some digging, [I] found out that they did it to their own website to generate publicity. The person responsible told me he didn't think anything would happen from it so he used my old nick. He apologized to me and said he'll not do something like that in the future. "

Goatse Sec denies that the vandalism was done as some sort of social engineering stunt or publicity attempt.  Of course that's the tough part about being security professionals or hackers -- when they get attacked, everyone automatically assumes it was faked for attention, since they, after all, are the masters of social engineering.

Mr. Kaiser also offered us some new information.  He says that the person first posting [email] to Full Disclosure with news of the hack -- "Andrew Kirch" email:trelane at trelane.net -- was the person responsible.  Andrew Kirch is an Indianapolis, Indiana native [Linked In] [Facebook] [blog].

Mr. Kaiser says that while Mr. Kirch wasn't the former team member involved, that he was likely given the blog's admin password by the unnamed disgruntled former team member, and used it to execute the attack.  He states, "Mr. Kirch wasn't actually a member of our team. We're pretty sure that a former member of the team gave him the admin login."

Mr. Kirch describes himself writing:

I'm a 28 year old Open Source politician. I've used Open Source for years and am active in the community working on the community itself. This is a largely thankless job involving long days of convincing people I'm right.
Outside of that I'm a fiscally conservative social libertarian from Indiana in the USA (no I'm not a supporter of Ron Paul). I'm a member of the NRA, and I get range time in as frequently as possible. I own a company which deploys open source software to reduce the cost of phone service to those living in apartment complexes, and am on the board of a second company which develops websites that use Drupal, just like this one.

Update:  Friday 1/28/2011, 12:25 p.m. -

We received a message back from Andrew Kirch, who offered us chat logs, which he claims show Leon Kaiser to be coordinating the defacement as a publicity stunt.  He writes:

He believes this? He helped coordinate it.

He provided us with evidence of this, which does seem to indicate this.  We were not allowed to publish this evidence.

He adds:

I was an admin before he was, and the password was given to me by the (Then current) PR guy.

Update 2: Friday 1/28/2011, 12:45 p.m.

Leon Kaiser tells us:

I was not misleading you. This was an individual who literally did not inform us ahead of time that this is what he was doing. Since "trelane" was on our IRC server, we felt it best to engineer the password out of him, which we eventually did. After I did that, I locked him out of the site and changed the password. Everything said below was part of an attempt to regain control of our blog.

Oh, additionally, we kickbanned him from the channel once we got the password.

At this point it's kind of hard to figure out who to believe, so draw your own conclusions.

Update 3: Friday 1/28/2011, 12:55 p.m.

Leon Kaiser provides us with the following IRC log, supporting his claims:

21:22:30 <@LiteralKa> that's the channel trelane mentioned in his interview lol
21:22:36 < pynchon> thats the crew that jacked your goatse sh*t
21:24:31 mode/#press (+b *!*@maxchats-9nle78.trelane.net) by LiteralKa
21:24:31 <<< kick/#press (trelane`) by LiteralKa(no reason)
21:24:34 < pynchon> ok
21:24:39 mode/#press (+i) by LiteralKa
21:26:51 <@LiteralKa> i locked him out btw
21:28:02 <@LiteralKa> restoring what i can of the site
21:33:43 <@LiteralKa> that *ssh*le perm deleted a bunch of sh*t
21:33:51 <@LiteralKa> now sam has to restore that sh*t >:(
21:34:07 < pynchon> was trollforge compromised?
21:34:31 <@LiteralKa> no
21:34:33 <@LiteralKa> i dont think so
21:34:42 <@LiteralKa> 21:34:31 Irssi: Starting query in Hardchats with Krashed
21:34:42 <@LiteralKa> 21:34:31 <krashed> let me know if you find out who hacked goatse nosecurity
21:34:42 <@LiteralKa> 21:34:32 <krashed> :P
21:34:59 <@LiteralKa> gnaa.eu should be fine
21:35:32 < pynchon> http://security.goatse.fr/gaping-hole-exposed From: Andrew Kirch <trelane ()="" trelane="" net="">
21:35:32 < pynchon> Date: Wed, 26 Jan 2011 19:41:58 -0500
21:35:32 < pynchon> RLY?
21:35:32 < pynchon> YARLY.
21:35:32 < pynchon> (wasn't me of course)
21:35:47 <@LiteralKa> yeah i lold
21:52:12 <@pynchon> he posted the password
21:52:24 <@pynchon> did you delete his post?
21:53:36 <@LiteralKa> yes
21:53:41 <@LiteralKa> i restored as much as i could
21:53:45 <@LiteralKa> and locked him out
21:53:53 <@sloth> what account did he do it from
21:53:54 <@LiteralKa> the d*ck deleted the other users tho
21:53:56 <@LiteralKa> besides durandal
21:53:57 <@LiteralKa> admin
21:56:07 Irssi: Pasting 23 lines to #press. Press Ctrl-K if you wish to do this or Ctrl-C to cancel.
21:56:07 <@LiteralKa> 20:18:06 Irssi: Starting query in Hardchats with trelane`
21:56:07 <@LiteralKa> 20:18:06 <trelane`> why end the lulz?
21:56:07 <@LiteralKa> 20:18:14 <literalka> what
21:56:07 <@LiteralKa> 20:18:19 <literalka> so you did it?
21:56:07 <@LiteralKa> 20:18:28 <trelane`> of course
21:56:07 <@LiteralKa> 20:18:55 <literalka> do you actually think we're twats ;_;
21:56:07 <@LiteralKa> 20:19:03 <trelane`> password is v23UvnOr
21:56:07 <@LiteralKa> 20:19:04 <trelane`> no
21:56:07 <@LiteralKa> 20:19:09 <trelane`> the whole thing is a massive lulzstunt
21:56:07 <@LiteralKa> 20:21:21 <literalka> how u do it
21:56:07 <@LiteralKa> 20:23:35 <trelane`> that I won't disclose
21:56:07 <@LiteralKa> 20:33:06 <trelane`> I just kind of thought this up and was like "this will be lulz, and sh*t's been quiet"
21:56:07 <@LiteralKa> 20:33:12 <literalka> yes
21:56:07 <@LiteralKa> 20:37:08 <trelane`> apologies for the deletes, I f*cking suck at wordpress
21:56:07 <@LiteralKa> 20:49:20 <literalka> http://news.cnet.com/8301-27080_3-20029734-245.html?tag=mncol;1n
21:56:07 <@LiteralKa> 20:50:25 <trelane`> yeah I'm reading it
21:56:07 <@LiteralKa> 20:50:59 <trelane`> Durandal gave me the password
21:56:07 <@LiteralKa> 20:52:02 <trelane`> I bragged in ##politics, told LoRez to fuck off, and have denied it like 10 other places in public
21:56:07 <@LiteralKa> 20:52:09 <trelane`> deny half the time
21:56:07 <@LiteralKa> 20:52:10 <literalka> lol
21:56:07 <@LiteralKa> 20:52:11 <trelane`> admit half the time
21:56:07 <@LiteralKa> 20:52:18 <trelane`> I did the same thing when they accused me of narc'ing weev
21:56:07 <@LiteralKa> 20:52:20 <trelane`> caused MASSIVE duress
21:56:08 <@pynchon> this is why we use keypairs
21:56:16 <@LiteralKa> also
21:56:17 <@LiteralKa> 21:55:01 <krashed> well?
21:56:17 <@LiteralKa> 21:55:13 <krashed> your a security expert
21:56:17 <@LiteralKa> 21:55:19 <krashed> you are supposed to know this sh*t
21:57:39 <@pynchon> i f*cking knew it
21:57:48 <@pynchon> i can smell a rat like a fart in a car
21:57:50 <@LiteralKa> forgot to paste that
21:57:52 <@LiteralKa> sorry
22:00:29 <@sloth> how did you get back in? with the password trelene gave you?
22:00:48 <@sloth> could they have changed info for the admin user as another user?
22:00:54 <@LiteralKa> 22:00:29 <@sloth> how did you get back in? with the password trelene gave you?
22:00:54 <@LiteralKa> yes
22:00:59 <@LiteralKa> 22:00:48 <@sloth> could they have changed info for the admin user as another user?
22:01:01 <@LiteralKa> i think so
22:01:05 <@LiteralKa> everyone had admin access iirc
22:01:13 <@LiteralKa> and when i got on
22:01:19 <@LiteralKa> every account was deleted
22:01:21 <@LiteralKa> sans admin
22:01:22 <@LiteralKa> and durandal
22:01:30 <@pynchon> the only safe move is to wipe everything
22:01:42 <@sloth> I want the logs from sam
22:02:00 <@sloth> if I'm not around can someone else facilitate that
22:02:02 <@pynchon> yeah, get the logs
22:02:14 <@pynchon> syslog sh*t too
22:02:17 <@pynchon> ne tripwire
22:02:36 <@pynchon> ne mount / ro
22:04:26 <@pynchon> LiteralKa: dont worry about restoring sh*t yet
22:04:40 <@LiteralKa> not worrying
22:04:48 <@LiteralKa> I can't do that anyway
22:04:55 <@LiteralKa> i just did what i could
22:04:58 <@sloth> sam should be awake soon
22:05:01 <@LiteralKa> about a half hour ago
22:05:01 <@LiteralKa> :D
22:05:12 <@LiteralKa> sam said he would fix the gnaa site today too >:(
22:05:32 <@sloth> 4am in .fr
22:05:33 <@LiteralKa> whatever
22:05:57 <@LiteralKa> yo
22:06:06 <@LiteralKa> somoenes been commening on the blog
22:06:10 <@LiteralKa> taking ss
22:06:50 <@sloth> link?
22:06:52 <@LiteralKa> "lolhacked"
22:06:54 <@sloth> I don't see comments
22:06:55 <@LiteralKa> yeah, uploading
22:07:02 <@LiteralKa> they got labeled as spam
22:07:05 <@sloth> oh
22:07:24 <@LiteralKa> http://i.imgur.com/gXnN3.png
22:07:25 <@sloth> it's probably nothing but give me the ips and I'll check if they match anything
22:07:46 <@LiteralKa> well, 3 comments 2 ips etc
22:08:01 <@LiteralKa> and they're using webcitation
22:08:10 <@LiteralKa> so it might be the same guy thats been raging @ me and rucas and dolemite
22:08:18 <@LiteralKa> on every f*ciking news story
22:08:24 <@LiteralKa> with comment forms
22:08:24 <@LiteralKa> about goatse
22:08:25 <@LiteralKa> c
22:08:49 <@sloth> what is webcitation
22:09:04 <@LiteralKa> it archives a website
22:09:06 <@LiteralKa> on request
22:09:08 <@LiteralKa> a url,
22:09:11 <@sloth> oh
22:09:13 <@LiteralKa> so in case it goes down
22:09:14 <@LiteralKa> etc
22:09:20 <@LiteralKa> or chjances
22:09:28 >>> join/#press (trelane`!trelane@maxchats-5pb.ik2.93.66.IP)
22:09:56 mode/#press (+b *!*trelane@*.ik2.93.66.IP) by sloth
22:09:56 <<< kick/#press (trelane`) by sloth()

Leon Kaiser adds, "So, basically what happened was that trelane vandalized the site, apparently to get noticed by the media. He then came to us acting like he did it to help. I pretended to go along until I got the password, then promptly kickbanned him from the channel, and fixed the site as much as I could."

He adds that he apologizes for the confusion that ensued.

Update 4: Friday, 1/28/2011 2:00 p.m. -

Andrew Kirch has permitted us to publish his copy of a separate earlier chat log, which he claims proves his account:
Jan 26 20:53:51 * Now talking on #press
Jan 26 20:53:51 * Topic for #press is: JacksonBrown confirmed scarf
enthusiast:
http://www.dailytech.com/Interview+Goatse+Security+on+FBI+Charges+Following+ATT+iPad+Breach/article20693.htm
| http://www.gnaa.eu/wiki/news
Jan 26 20:53:51 * Topic for #press set by LiteralKa at Sun Jan 23
22:10:25 2011
Jan 26 20:53:55 <LiteralKa> yes hello
Jan 26 20:54:02 <trelane`> yes defaced
Jan 26 20:54:04 <LiteralKa> we 're gonnaa have a group blogfest in here
Jan 26 20:54:06 <trelane`> and much lulz
Jan 26 20:54:17 * LiteralKa has changed the topic to:
http://news.cnet.com/8301-27080_3-20029734-245.html?tag=mncol;1n
Jan 26 20:54:29 <trelane`> this is going to blow up bigger than Jesus
Jan 26 20:54:48 <LiteralKa> yes
Jan 26 20:54:50 <LiteralKa> or allah
Jan 26 20:54:56 <trelane`> and Allah blows up pretty big
Jan 26 20:54:59 <trelane`> just ask Osama
Jan 26 20:55:01 <LiteralKa> (إنشاء الله)
Jan 26 20:55:28 <LiteralKa> The source claiming credit for the hack
declined to provide specifics on how it was done beyond saying "the site
was not secure." Asked to comment on the allegation from Kaiser, he said
"no laws were broken."
Jan 26 20:55:29 <LiteralKa> lol
Jan 26 20:55:36 <LiteralKa> it just sounds like a he said she said
Jan 26 20:55:58 <Murdox> ok
Jan 26 20:56:03 <Murdox> should we change the site back yet
Jan 26 20:56:07 <LiteralKa> no
Jan 26 20:56:12 <LiteralKa> let it sit for the night'
Jan 26 20:56:20 <Murdox> ok
Jan 26 20:56:20 <Murdox> well
Jan 26 20:56:46 <Murdox> edit the fucking frontpage and put
goatseinsurance links back on it in the sidebar
Jan 26 20:57:21 <LiteralKa> this needs to be seen by sam
Jan 26 20:57:23 <LiteralKa> and lold @
Jan 26 20:58:17 <LiteralKa> I'm gonna play this off like it's real publicly
Jan 26 20:58:31 <LiteralKa> because if its found out it isnt
Jan 26 20:58:37 <LiteralKa> nobody takes us seriously
Jan 26 20:58:41 <LiteralKa> in the future
Jan 26 21:00:41 <trelane`> right
Jan 26 21:01:26 <trelane`> anyone that's legit should know it's fake
Jan 26 21:01:31 <trelane`> wordpress md5's it's passwords
Jan 26 21:01:39 <trelane`> if the password's posted, then the password
was compromised
Jan 26 21:02:02 <trelane`> though the login page is set to http, not https
Jan 26 21:02:04 <trelane`> so that's plausible
Jan 26 21:03:40 <trelane`> incidentally it looks like WP has virgin
control management, so most of the shit I accidentally deleted should be
restorable
Jan 26 21:03:46 <trelane`> again, apologies for that
Jan 26 21:04:40 <LiteralKa> lool
Jan 26 21:05:17 * *** LiteralKa invited sloth into the channel
Jan 26 21:05:19 * sloth (sloth@maxchats-dlf82u.org) has joined #press
Jan 26 21:05:20 <sloth> yo
Jan 26 21:05:22 <trelane`> Harry Pierce is a character from a TV show
about MI-6
Jan 26 21:05:26 <trelane`> err MI-5
Jan 26 21:05:27 <LiteralKa> trelane`: fill sloth in
Jan 26 21:05:31 <trelane`> 90% of that was total bullshit
Jan 26 21:05:45 <sloth> how did they get in
Jan 26 21:05:47 <trelane`> sloth, tonight, security.goatse.fr was
"hacked", to epic lulz
Jan 26 21:05:55 <LiteralKa> "they" = trelane`
Jan 26 21:05:56 <LiteralKa> :)
Jan 26 21:05:58 <trelane`> sloth, they = me, and again, it's durandal's
fault
Jan 26 21:06:03 <trelane`> he gave me the password, that bastard
Jan 26 21:06:03 <LiteralKa> haha
Jan 26 21:06:14 <LiteralKa> lol when
Jan 26 21:06:18 <trelane`> ages ago
Jan 26 21:06:20 <sloth> what?
Jan 26 21:06:28 <trelane`> he still has an admin acct I think
Jan 26 21:06:38 <sloth> wait, trelane did it?
Jan 26 21:06:42 <trelane`> sloth, right now media = blogging a storm
Jan 26 21:07:04 <trelane`>
http://news.cnet.com/8301-27080_3-20029734-245.html?tag=mncol;1n
Jan 26 21:07:12 <sloth> who has access to update the members page?
Jan 26 21:07:14 <sloth> please remove my name
Jan 26 21:07:35 <trelane`> you aren't on that
Jan 26 21:07:38 <LiteralKa> it's all gone
Jan 26 21:07:40 <LiteralKa> lol
Jan 26 21:07:41 <trelane`> changed the team page to TEAM STATUS = FIRED
Jan 26 21:07:48 <trelane`> left the donate to weev up
Jan 26 21:07:49 <sloth> ok good
Jan 26 21:07:52 <trelane`> so that weev gets donates
Jan 26 21:07:55 <LiteralKa> lol trelane
Jan 26 21:08:05 <LiteralKa> p sure that is old info anyway
Jan 26 21:08:06 <sloth> because I don't want my name on it anymore
Jan 26 21:08:10 <LiteralKa> the paypal at least
Jan 26 21:08:15 * trelane` senses some degree of rage from sloth :/
Jan 26 21:09:05 * trelane` has both taken, and denied credit in various
forums to increase confusion
Jan 26 21:10:01 <LiteralKa> see, I'm just gonna treat it as real when
the media asks
Jan 26 21:10:09 <LiteralKa> otherwise we loose cred :\
Jan 26 21:11:57 <trelane`> LiteralKa, what about something like this.
When JacksonBrown was pointlessly arrested, security updates lapsed.
This is unfortunate for both the internet, and our team members whose
civil rights, and essential freedoms are being violated.
Jan 26 21:12:14 <trelane`> JB is useful here because no one knows shit
about him
Jan 26 21:12:15 <LiteralKa> for what
Jan 26 21:12:27 <trelane`> LiteralKa, for the reason why the hack occurred
Jan 26 21:12:33 <trelane`> a patch was missed when JB was arrested.
Jan 26 21:12:36 <LiteralKa> lol
Jan 26 21:12:41 <LiteralKa> uhh
Jan 26 21:13:09 <LiteralKa> I'll probably spin something like that
Jan 26 21:13:21 <trelane`> because it gives us the chance to drum up
sympathy for HB
Jan 26 21:13:23 <trelane`> JB
Jan 26 21:14:12 <LiteralKa> uhh
Jan 26 21:14:17 <LiteralKa> kinda transparent
Jan 26 21:14:29 <LiteralKa> I'm just gonna play it off like it was some
overzealous punk
Jan 26 21:14:34 <LiteralKa> or at least we think it is
Jan 26 21:14:35 <LiteralKa> etc
Jan 26 21:15:20 <sloth> I don't get what the point of this was
Jan 26 21:18:49 <trelane`> sloth, lulz
Jan 26 21:20:59 <trelane`> sloth, you must dedicate all, and do anything
for the pursuit of lulz
Jan 26 21:21:41 * Disconnected (An established connection was aborted by
the software in your host machine).
**** ENDING LOGGING AT Wed Jan 26 21:21:41 2011

He adds, "With this said, it's a password I gave them immediately. I have nothing against them, and they did everything they could to push the publicity, had me in the ##press channel working on it until one member, sloth, started to rage about the whole thing. Then they decided to distance themselves."

At this point both parties offer plausible stories, but its unclear who is telling the truth.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Immature much
By bigboxes on 1/28/2011 10:49:43 AM , Rating: 5
Hacker/programmer. What's the diff? Anyone can do good or bad. It's their choice.


RE: Immature much
By SilthDraeth on 1/28/2011 4:11:43 PM , Rating: 5
WTF is the point of this article?


RE: Immature much
By wired00 on 1/30/2011 5:37:17 PM , Rating: 2
I think daily tech is being immature following following this cr@p beyond the initial "news". I for one don't want to read their little b1tching session chat log updates. Do you?

I mean, it actually says "RLY?" ... "YA RLY". come on Dailytech I just lots a few IQ reading part of it. there is no place for this junk on here.


RE: Immature much
By wired00 on 1/30/2011 5:38:43 PM , Rating: 2
...seems i lost so many i can't put a sentence together ;)


“We do believe we have a moral responsibility to keep porn off the iPhone.” -- Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki