Previous Entry Share Next Entry
LiveJournal security
lj-PWN
soopageek
ou know all of those nifty security changes LiveJournal has been making lately? What they neglected to tell you is why.

In case you don't follow the link to Bantown's Encyclopedia Dramatica entry from the Washington Post security blog:

"In order for the account takeovers to end, Bantown demands that Denise Paolucci post on the front-page LiveJournal news that LJ has been owned by Bantown."



ho is Denise Paolucci? Glad you asked. Apparently, the whole ordeal is the result of a vendetta that Bantown has for Ms. Paolucci.

Personally I find the staggering claim that they swiped 900,000 account passwords a little hard to swallow, but if it is true, it's no wonder that LiveJournal has been nagging about passwords for months and even freezing accounts. Also if this is true, that means you people click on ANYTHING. Sheesh. Considering there's only 2 million active LiveJournal accounts, they have a 50% success rate at obtaining the information necessary to hijack an account. Pretty impressive if you ask me.

People wonder why I'm so cautious about putting too many real-life things out into the internet. This is why ladies and gentlemen: somewhere in some massive file of stolen cookies lies my login information to LiveJournal. The concept of "friends-only" and "private" doesn't really mean much in light of that.

  • 1
i'm not sure i get this. so if you clicked on WHAT you go owned?

I second the motion to clarify what we're not supposed to click on. And just for the record, I did not click on a single link within the article you posted, although at least now I know why LJ has been bugging me to change my account password.

see lj has NOT asked me to change my password, although today i DID forget my password at work and went to the password recovery page where i was told i could not request my password anymore as only five requests were allowed per day. i had never asked them to send it before, let alone five times today. i just figured it was some weird bug, though, and think it probably still was. interesting, though.

I think it's meant as general admonishment to not click anything that is not from a rock-solid, proven, trustworthy source. Pretty much the same advice that applies to email and phishing scams.

The way these attacks worked is: you click on "teh linxxor" and the destination executed a script. In this case it swiped your LJ account cookie, but on the internet at large such scripts could do anything (look for password files, install keyloggers, put porn on your machine, turn it into a bot, etc).

The LJ attack was made possible due to a collusion of factors - security holes in a browser, and faults in LJs dependence on cookies.

So how do know what to click on and what not to? Aye- there's the rub. In social network like LJ, not sharing links runs counter to the experience. Salty, jaded 'net veterens develop a sixth sense about things that is hard to quantify (but starts with ignoring email FWds and similar drek). Basically no amount of free pr0n is worth borking your machine or your identity.

I don't know if that over-simplified or over complicated things... but I hope that helps.


so we're talking about the funny links our friends post in their entries like 'omg look at the funny snl skit lol!' links?

In essense, yes, although we all know the internets would grind to a halt without the trade and barter of SNL skits ;)

It's worth noting the link would not necessarily have had to originate from LJ. Of course, the hacker would reap a quicker harvest that way, but you could have clicked a link in an email that would take you to the same page, and if you also had an LJ account.... you see where this is going.

And that goes back to the problem: I click on stupid stuff all the time... but I've developed a pretty good e-shit detector over the years too. There's really no hard-and-fast fail-safe rule for links. And that's why these attacks work.

he actual link(s) is not important as it was likely a combination of hundreds/thousands of different links. And with the way a link will propogate through internet communities and the blogsphere as a whole, its likely that a lot of people clicked on the offending links in friends journals.

More than likely, the link was a script which executed the cookie transfer, in addition to still providing whatever content was promised, leaving the victim unaware that anything was amiss

so what if they really did swipe 900k accounts? that doesn't mean they have time to bother playing with them all. i suspect they'd get bored after their 20th emo-kid victim. the whole point was to pwn LJ.

i'm still gonna change my pwd on reading this, but i'm honestly not too worried and i don't think anybody else really needs to be either.

the bantown people are all people at least loosely associated with LJDrama, most of which have had trouble with the LJ abuse team at some point in time, and as best i can tell there are actually very few true haxx0rs in their midst. i could be wrong but i suspect that Denise Paolucci is rahaeli. she's been the subject of critique for a very long time.

h I'm not terribly worried either; with 2 million active journals, we're all virtual needles in haystacks. Like you, though, I will change my password... it can't hurt and can only be a good thing.

incidentally, i've come to the conclusion that these people didn't do it because they actually thought they'd finally have their revenge against rahaeli. like real hackers, they simply "did it for the lulz."

while they make for fascinating reading sometimes, the ljdrama people are annoying as fuck.

oh, also, add me to the list of people who thinks more like 90 accounts rather than 900,000 may have been compromised. IRC logs on the ED bantown page reveal very little technical know-how, and the one or two actual "programmers" within their midst mostly specialize in writing IRC scripts to annoy people.

in short, the epitome of junior-high self-absorption.

Googling "Denise Paolucci" is amusing.

Personally, I really don't buy the 900k figure. Mathematically, it's just too hard to reach.

know from posting photos in communities that a good link can generate tens of thousands of hits in a matter of days as it propogates through LiveJournal and the internet at-large.

I host photos with a program that utilizes PHP scripting to serve the photos. It wouldn't be hard to hack the script to make it execute programs on my webhost, or anything I wanted it to really (assuming I had the coding knowledge). Simple scripts could easily be written to serve a photo in an entry and the mere act of loading it could trigger all sorta of behind the scenes executions.

The real issue here is not what someone did or didn't click: I was being facetious with my assertion that people will click anything. Thee mere loading of a graphic from the internet can trigger all sorts of things if the person hosting it wants to. What is at issue is LJ's security and browser security.

I haven't gone in-depth into the nitty-gritty of what they did, but there are several indications that the "problem" was limited to people using Firefox and other Mozilla-based browsers, so that right there cuts down the potential victims to smaller group.

Otherwise and on more historical note; I was one of the first to employ cookies and I started using them back, right after Bill Dortch invented the things and have used them in several business models. I don't know the particulars of what makes Firefox different in this instance, but cookies were designed to be only read by the domain that installed them. It was and have remained part of their security from the very beginning.

So, my interpretation has been that they claim to have gotten 900k lj-users, all using Firefox or Mozilla to click on a link, possibly malformed, but I don't know and they used a script from within LJ or from within the browser's locationbar to read the user's cookies. I've been using cookies for a long, long time and so does every major website in the world. If somehow the original cookie implementation had been perverted so that my bank's cookies could be read from a porn site, it would be major news.

I do have a couple of guesses, as to what happened and LJ's side of the "problem" appears to be because that they hadn't thought of every way to exclude script, and firefox has an additional to use it. But, if it weren't for the combination of these two factors, it'd be much bigger news, affecting every major commercial site in the world and everything would go out the window.

OK - That was me. I forgot that I purposefully logged-out last night. Sorry.

I actually have had this happen.

Funny thing was, I hardly EVER click anything, even stupid
meme stuff that I see in my friends journals, so I am still wondering
how this happened.

Someone didn't hijack my journal, but somehow had hacked into our
computer and fucked with all our settings so that we couldn't
get into ANYTHING.

Dustin was able to fix it, but what a headache.
We were lucky it was only a minimal amount of hacking.

s I told discreet_chaos in another comment, I was being mock-incredulous about people on clicking anything. The fact-of-the-matter is, security holes can be exploited and general information gathered with relatively simple scripts that execute upon the mere loading of a photograph, with no special action from the victim. E-mail marketers have been using this tactic for years: when you allow the images from a junk e-mail to load, there's a good chance that some less scrupulous marketers have it execute a script on their webserver (or at the very least, creates a log) which let's them know whether or not you looked at the e-mail.

A friend of mine who worked in e-mail marketing for a while told me that they will even use 1 pixel, clear images that you wouldn't even know loaded. This is why most e-mail lients these days allow you to read the text of e-mails without loading the graphics embedded into it, requiring the user to click a special button to make the graphics load.

  • 1
?

Log in

No account? Create an account