Hacker plans more security-related shaming actions

Jul 7, 2015 11:15 GMT  ·  By

Breaking into the systems of an organization and accessing files without authorization is regarded as trespassing. The motivation behind this act can be anything from financial gain to proving one’s skills among fellow hackers.

No matter the reasons, the success of such an action is most of the times due to lack of proper security measures.

Whitehats also resort to this method for evaluating the resilience of a company’s infrastructure against all sorts of attacks, as part of a process called penetration testing.

GhostShell, a hacker known for targeting entities from different sectors (government, law enforcement, companies) in the past, took a break in 2013 but decided to return in the spotlight this year on June 28, specifically to draw attention to the current state of insecurity many entities, and that blackhats can cause a lot of damage.

“Too many news about cybersecurity stocks, snitches and Japanese high tech toilet hacking. It was about time the spotlight went back to what was important. Actual breaches made by actual hackers, in this case, hacktivists,” the hacker told us.

Some victims may have tightened security

GhostShell also introduced Dark Hacktivism, a hacking concept where the attack is intended to demonstrate the target's poor security, without harming them.

The comeback was marked by a total of 548 announcements about compromised targets from various industries, all accompanied by proof of the hack through links to previews of the information accessed or exfiltrated.

Over 1,000 people informed of vulnerabilities; no reply received

Most of the victims were compromised in 2015, but some of them had been compromised in late 2014. The hacker said that efforts were made to report the vulnerabilities responsibly, but they went unanswered.

“Emailed more than a thousand people, not even one reply back,” the hacker said, adding that some of the sites were taken down after the intrusion, indicating that someone cared about the security of the data and made an effort to patch things up.

Due to the large number of breaches, GhostShell did not run second tests to check whether a fix had been implemented or not, saying that the admins had months to correct the security issues before the data became public.

The hacker said that waiting this long a period before disclosing the hack could be seen as an “ethical disclosure” behavior, although being ethical was not the purpose on account of the indifference present in infosecurity.

“We keep seeing all of these multibillion dollar corps selling their pricy infosec products and yet here we are breaching entire regions,” GhostShell added in support of the reality experienced, stopping short of giving any names.

Everyone should be considered a target

There are no criteria in selecting the targets, as the purpose is to expose vulnerabilities everywhere, regardless of the activity sector. Attacking a government asset is equally important as hitting any other target, as they also deserve to know they can be hacked.

“Maybe a lot of them are being spied on as we speak. It would help to know these things, if your network is vulnerable.” GhostShell believes that an organization needs to know about its weak spots and that disclosing a security flaw is a better course of action than keeping it secret.

Plenty more Dark Hacktivism should be expected

This is what the hacker calls Dark Hacktivism: if everyone is a target and hacking is done indiscriminately, more vulnerabilities are disclosed, pushing towards better overall security.

The hacker said that this aggressive manner of drawing attention to security faults would be carried out in the future. “So expect more releases in the near future. Lots more.”

The purpose is to show the crack and allow repairing it before the bad guys take advantage. It is “a different type of hacktivism from the one we did in the past.”

The data taken from the targets was sent to reliable contacts across the world (Japan and Australia, from our knowledge), who contacted the victims about the breach. GhostShell assured us that the people handling the data are involved in cybersecurity and have the necessary connections to make sure that the problem is solved, or at least exposed to the proper people.

“Either way, on one side out in the open everyone can see the targets and vulnerabilities and on the other hand more data is being given to provide further assistance to the people affected. Win-win,” the hacker told Softpedia.

Basically, this approach would raise awareness of the security flaws without impacting the systems or the activity, present or future, of the victim.

Money from disclosures would have been given to charities

GhostShell said that, from past experience, reporting the issues ethically to the target via third-party services proved to be the wrong way about the general goal of the hacktivity, because no one wanted to collaborate with hackers/hacktivists.

Most of the money made this way would have gone to charities. Again, no names were given, but the hacker expressed unpleasant feelings, to say the least, towards organizations insisting that they work with hackers for vulnerability disclosure.

GhostShell's tweetfeed remains silent as of July 4, when a message announced that all the previously released data dumps had been removed but they would be republished at an undisclosed date on 100 sharing sites.

Whether the Dark Hacktivism concept will be embraced by other hackers is not something we can predict, but shaming insecure organizations this way could be a proper stimulus for security awareness and quicker response times to vulnerability disclosures.