Billoreilly.com customer information exposed by hacktivists
Technorati Tag: Security Breach
Date Reported:
9/18/08
Organization:
Bill O'Reilly
Contractor/Consultant/Branch:
BillOReilly.com
Nox Solutions
Location:
Los Angeles, California
Victims:
Customers
Number Affected:
"about 205"
Types of Data:
Names, addresses, email addresses, usernames, passwords, and other personal information
Breach Description:
"Hackers were able to obtain a list of Billoreilly.com premium members, including email addresses, site passwords and the city and state where they live."
Reference URL:
WikiLeaks
The Register
PCWorld
ChannelWeb
Report Credit:
WikiLeaks
Response:
From the online sources cited above:
Just days after publishing US vice presidential candidate Sarah Palin's personal email messages, the Wikileaks website has published data about members who signed up for a section of Fox Television host Bill O'Reilly's website.
Hackers were able to obtain a list of Billoreilly.com premium members, including email addresses, site passwords and the city and state where they live.
[Evan] A link to the screenshot of the BillOReilly.com administrator interface is provided below, courtesy of WikiLeaks. As you can see in the screenshot, passwords are displayed to the administrator. This is a big NO NO and a poor security design decision. Administrators, users, IT personnel, information security personnel, etc. all need to understand that passwords are confidential information and should be treated as such. Nobody should know a password except for the owner. Not the administrator, not the IT support person, not the information security person, ONLY the owner. Passwords are typically secured (on well developed sites) on the back-end in a manner that does not make them understandable, i.e. one-way hash.
Link to billoreilly.com Administrator Interface screenshot
NOTE: This screenshot is not hosted by The Breach Blog and does depict confidential information.
Some of the information was published Friday on Wikileaks.com, which has been under fire from conservative commentators, including O'Reilly, for publishing Palin's messages.
[Evan] Blaming WikiLeaks is shooting the messenger. I think people need to wake up and attend to the root of the problem... poor information security (design, awareness, implementation, and management). If we want to go after anyone, we should go after information custodians and the offenders that actually do the "hacking".
"Wikileaks has been informed the hack was a response to the pundit's recent scurrilous attacks over the Sarah Palin's email story -- including on Wikileaks and other members of the press," Wikileaks said on its site.
"Hacktivists, thumbing their noses at the pundit, took control of O'Reilly's main site, Billoreilly.com."
[Evan] Should we be surprised? Be careful in making yourself a target if you aren't sure what you are talking about or what you might be up against.
Premium members pay US$49.95 per year to access special content on the website, including discussion boards.
Operators of Billoreilly.com could not be reached for comment Friday afternoon, and IDG News Service could not immediately confirm whether the list was legitimate.
[Evan] It appears that the operator of Billoreilly.com is Nox Solutions. Nox Solutions boasts about other named clients such as Dennis Miller, Larry King, Dr. Drew, Billy Bush, Mancow, Laura Ingraham, Dr. Erika, Dr. Janis Schaeffer, Bill Bennett, Mike Gallagher, Michael Medved, Janet Parshall, Rusty Humphries, and Jerry Doyle. As my mind wanders, I question if any of these sites were configured similarly and are potentially vulnerable to the same type of attack.
A link to the full membership list has been published on a little-known political discussion website, which reported that rather than seizing control of O'Reilly's site, hackers were able to get the information from an unencrypted web page that did not require a login.
[Evan] Ouch! Admin access without a login, or am I reading this wrong?
The list includes information about 205 people who signed into the O'Reilly site during the previous 72-hour period.
Earlier this week, O'Reilly, host of the TV show "The O’Reilly Factor," had accused sites such as Wikileaks of "trafficking in stolen merchandise."
What really riled O'Reilly was that Wikileaks posted the e-mails in the first place.
"I'm not going to mention the Web site that posted this, but it's one of those despicable, slimy, scummy Web sites," O'Reilly said.
[Evan] Judgmental? Oh yes. I can see Bill O'Reilly's position on this matter, but I can see WikiLeaks' position as well. I think the finger is pointed in the wrong direction though. If WikiLeaks doesn't expose some of the things that they expose, would we ever find out? Wouldn't you rather know?
Because many internet users employ the same username and password for many sites, the Billoreilly.com information could be misused to gain access to other websites, but it could also undermine the integrity of the Billoreilly.com messageboards, which are accessible to premium members, according to Paul Ferguson, a researcher with antivirus vendor Trend Micro.
[Evan] BINGO! Mr. Ferguson is exactly right. The information obtained from BillOReilly.com on the surface seems limited in scope (i.e. access to a BillOReilly.com account), but when we consider that most people use the same usernames and passwords in multiple authentication scenarios (web sites, domain logins, etc.), the scope expands considerably. Take for instance PayPal. All that is required for login is an email address and password.
Commentary:
I wonder if Bill O'Reilly understood that his harsh criticism of "hackers" and sites like WikiLeaks could raise the ire of hacktivist that might target his site, email account(s), etc.. I also wonder how informed Mr. O'Reilly was about the security of his own site, or if he just chose to leave these matters to his hosting company. One last thought, someone is going to notify the affected customers right?
Small, quick and dirty password tips for general users:
Nobody likes passwords. Not users, not admins and certainly not information security personnel. Passwords (by themselves) are one of the weakest forms of authentication in use and are very simple to bypass/crack/guess in many implementations. So what should you do?
Unknown
Date Reported:9/18/08
Organization:
Bill O'Reilly
Contractor/Consultant/Branch:
BillOReilly.com
Nox Solutions
Location:
Los Angeles, California
Victims:
Customers
Number Affected:
"about 205"
Types of Data:
Names, addresses, email addresses, usernames, passwords, and other personal information
Breach Description:
"Hackers were able to obtain a list of Billoreilly.com premium members, including email addresses, site passwords and the city and state where they live."
Reference URL:
WikiLeaks
The Register
PCWorld
ChannelWeb
Report Credit:
WikiLeaks
Response:
From the online sources cited above:
Just days after publishing US vice presidential candidate Sarah Palin's personal email messages, the Wikileaks website has published data about members who signed up for a section of Fox Television host Bill O'Reilly's website.
Hackers were able to obtain a list of Billoreilly.com premium members, including email addresses, site passwords and the city and state where they live.
[Evan] A link to the screenshot of the BillOReilly.com administrator interface is provided below, courtesy of WikiLeaks. As you can see in the screenshot, passwords are displayed to the administrator. This is a big NO NO and a poor security design decision. Administrators, users, IT personnel, information security personnel, etc. all need to understand that passwords are confidential information and should be treated as such. Nobody should know a password except for the owner. Not the administrator, not the IT support person, not the information security person, ONLY the owner. Passwords are typically secured (on well developed sites) on the back-end in a manner that does not make them understandable, i.e. one-way hash.
Link to billoreilly.com Administrator Interface screenshot
NOTE: This screenshot is not hosted by The Breach Blog and does depict confidential information.
Some of the information was published Friday on Wikileaks.com, which has been under fire from conservative commentators, including O'Reilly, for publishing Palin's messages.
[Evan] Blaming WikiLeaks is shooting the messenger. I think people need to wake up and attend to the root of the problem... poor information security (design, awareness, implementation, and management). If we want to go after anyone, we should go after information custodians and the offenders that actually do the "hacking".
"Wikileaks has been informed the hack was a response to the pundit's recent scurrilous attacks over the Sarah Palin's email story -- including on Wikileaks and other members of the press," Wikileaks said on its site.
"Hacktivists, thumbing their noses at the pundit, took control of O'Reilly's main site, Billoreilly.com."
[Evan] Should we be surprised? Be careful in making yourself a target if you aren't sure what you are talking about or what you might be up against.
Premium members pay US$49.95 per year to access special content on the website, including discussion boards.
Operators of Billoreilly.com could not be reached for comment Friday afternoon, and IDG News Service could not immediately confirm whether the list was legitimate.
[Evan] It appears that the operator of Billoreilly.com is Nox Solutions. Nox Solutions boasts about other named clients such as Dennis Miller, Larry King, Dr. Drew, Billy Bush, Mancow, Laura Ingraham, Dr. Erika, Dr. Janis Schaeffer, Bill Bennett, Mike Gallagher, Michael Medved, Janet Parshall, Rusty Humphries, and Jerry Doyle. As my mind wanders, I question if any of these sites were configured similarly and are potentially vulnerable to the same type of attack.
A link to the full membership list has been published on a little-known political discussion website, which reported that rather than seizing control of O'Reilly's site, hackers were able to get the information from an unencrypted web page that did not require a login.
[Evan] Ouch! Admin access without a login, or am I reading this wrong?
The list includes information about 205 people who signed into the O'Reilly site during the previous 72-hour period.
Earlier this week, O'Reilly, host of the TV show "The O’Reilly Factor," had accused sites such as Wikileaks of "trafficking in stolen merchandise."
What really riled O'Reilly was that Wikileaks posted the e-mails in the first place.
"I'm not going to mention the Web site that posted this, but it's one of those despicable, slimy, scummy Web sites," O'Reilly said.
[Evan] Judgmental? Oh yes. I can see Bill O'Reilly's position on this matter, but I can see WikiLeaks' position as well. I think the finger is pointed in the wrong direction though. If WikiLeaks doesn't expose some of the things that they expose, would we ever find out? Wouldn't you rather know?
Because many internet users employ the same username and password for many sites, the Billoreilly.com information could be misused to gain access to other websites, but it could also undermine the integrity of the Billoreilly.com messageboards, which are accessible to premium members, according to Paul Ferguson, a researcher with antivirus vendor Trend Micro.
[Evan] BINGO! Mr. Ferguson is exactly right. The information obtained from BillOReilly.com on the surface seems limited in scope (i.e. access to a BillOReilly.com account), but when we consider that most people use the same usernames and passwords in multiple authentication scenarios (web sites, domain logins, etc.), the scope expands considerably. Take for instance PayPal. All that is required for login is an email address and password.
Commentary:
I wonder if Bill O'Reilly understood that his harsh criticism of "hackers" and sites like WikiLeaks could raise the ire of hacktivist that might target his site, email account(s), etc.. I also wonder how informed Mr. O'Reilly was about the security of his own site, or if he just chose to leave these matters to his hosting company. One last thought, someone is going to notify the affected customers right?
Small, quick and dirty password tips for general users:
Nobody likes passwords. Not users, not admins and certainly not information security personnel. Passwords (by themselves) are one of the weakest forms of authentication in use and are very simple to bypass/crack/guess in many implementations. So what should you do?
- Use strong passwords. There are tips for this available all over the web.
- Use separate passwords for separate sites. I know that this is a pain in the rear, so go to tip 3.
- Use a password management program such as Bruce Schneier's PasswordSafe (free) or RoboForm (free to try, then pay) to manage your passwords in a reasonably secure fashion. This way, you only have to remember one password. The one password provides access to the others.
- Do not disclose your password to anyone. Do not share your password with a co-worker, your spouse, your kids, your customer service rep, your tech support rep, etc. Nobody should know your password except for you.
- Question security. Meaning question what people are doing to protect your information. Ask questions. If the person you are talking to gets annoyed or can't provide you with the answers you demand, do business elsewhere.
Unknown
Posts Atom 1.0
I find this situation very similar to the debate on how to release notice of vulnerabilities for hardware and software. I think it would be good measure if wikileaks were to notify the site prior to releasing the breach information so, whoever the site is, they would have a heads up and a chance to fix the issue before it becomes general public knowledge. On the flip side, I think wikileaks should still tell people about the breach at a later date. Perhaps they could give the site a deadline of some sort, like 1 week. I think that should be sufficient in most cases. Just my 2 cents.
Reply to this
You bring up a very good point in my opinion and I also think there are similarities.
It is more responsible (in a good citizen kind of way) to report the breach to the data custodian first. Furthermore, it would be nice to notify the victims and allow them time to react first. The issues that surround breaches are a often times more complicated, unfortunately.
Do victims have the right to know before the public? I think a case could be made that they do. Is it possible to notify victims and allow them a chance to react before making details public? Sometime yes, sometime no.
I think your 2 cents make more sense than my 2 cents.
Reply to this