Noted security professional Dan Kaminsky’s personal website was hacked into and personal information was stolen from his webserver and posted online on the eve of the Black Hat security conference. The stolen files included private emails between Dan and other security researchers.
Following is the cached result of Dan Kaminsky’s website which is currently offline.
According to the note the hackers left on Dan’s website on doxpara.com/zf05.txt,
We hacked Dan’s assets first through finding bugs and writing 0day, and then through abusing him giving away passwords and his silly password scheme. Check out just some of his passes: fuck.hackers, 0hn0z (root account on his mail box), fuck.omg, fuck.vps, ohhai
Five character root password? Niiiiiiice.
From .mysql_history:
SET PASSWORD FOR ‘root’@’localhost’ = PASSWORD(’fuck.mysql’);
See the pattern?
The hackers also criticized Dan for using insecure blogging and hosting services that they used to host their websites and in turn allowing access to their personal data.
If you looked at Dan’s website, he used WordPress as his Content Management Solution and used the Dropshadow wordpress theme developed by Brian Gardner.
Looking at the theme, the last development occurred around April 2007. Could the hackers have used some vulnerability in the theme itself or did Dan have an insecure version of WordPress installed on his webserver? Either case, if you are using WordPress as your content management solution, it is important to think about WordPress security.
If the top notch security professionals get hacked, what hope is there for the rest of us
Well, it just means that sometimes the best of the security gurus are vulnerable to the same kind of exploits and threats as everyone else. Guys like Dan Kaminsky and Kevin Mitnick who consult and provide security services to individuals or corporations to protect against these kind of attacks are also susceptible. It also means that there is no such thing as 100% secure and there is always room to improve and step up your security.