“Alleged” NSA email hacker, that is, although he seems plenty eager to discuss it publicly. On May 15, we brought you the exclusive story of a hack of the NSA’s backup email server, a server maintained, ironically, not by the NSA but by Qwest, an IT services company against which the NSA had previously battled (spoiler: the NSA won). Back then, a softer, gentler age mere months before 9/11, the NSA wanted permission to access your data, and it asked Qwest for that permission. Qwest refused. The NSA pressed the issue, soon armed with the newly-minted Patriot Act. Qwest’s federal contracts began to dry up as it continued to resist the fond embraces of the NSA. Four years later its CEO was sentenced to prison for insider trading, which he considers to be no coincidence.
While he was away, the NSA played.
And, apparently, outsourced its backup servers to the very company it had brought to its knees. Well, converts are always the most fervent, aren’t they?
On May 14 of this year, a hacker using the PH1K3 Pastebin account posted a stream of consciousness log purporting to be his adventures poking around the NSA email backup server, checking out vulnerabilities including outdated security certificates. Swedish Anonymous account DⒶʀKᙡiNɢ ಠ_ರೃ then tweeted it out. It was picked up on social media, although over the next few hours it became apparent that social shares were being interfered with in interesting ways.
We picked up the story, now with bonus censorship, and while our article can be shared freely, you can no longer post the original Pastebin link to Facebook at all, neither as a standalone update nor (as you could for the first 24 hours) in a comment. Posts about the Pastebin have also vanished from LinkedIn. The horse had long since left the barn, however, and the Paste was viewed over 3,000 times before it mysteriously went blank. He has re-posted it here.
We spoke with the hacker via Twitter account DⒶʀKᙡiNɢ ಠ_ರೃ to get more information; if the NSA, or someone, was going to these lengths to disappear the story, surely there must be more to it than some old SSL certificates. Guess what? There was.
In our conversation, he used the name PH1K3, which even a cursory Google search will indicate is a prolix hacker with an interest in Swedish issues and websites, and who favours the time-honoured SQLi attack. The punctuation pattern is identical to the idiosyncratic pattern in the original paste, so it’s pretty certain we were talking to the right person. In short: PH1K3 is the alleged hacker, owner of the Pastebin account that posted the hack; DⒶʀKᙡiNɢ ಠ_ರೃ is the Swedish Anonymous Twitter account that publicized the hack.
The NSA hack pastebin dedicated it to Vampire666, who he says was an old friend. “Lets put it like this, he was a pretty great hacker, really smart. He was a friend of mine, and he died of what I think was a drug deal that got really bad.”
“The main thing was to make a tribute to our wonderful friend and have some fun doing it. I did it and then I talked to Anonymous Swe[den] and asked them to publish it on twitter.”
He and Anonymous Swe go back a long way. “I would say that it all started after they [unspecified, but numberless, government agencies] fucked with thepiratebay, so I looked at the syntax of the Swedish government servers and released vulnerabilities in 180 of their servers that [even] a 9 year old could exploit. It’s still on pastebin, if you search for “swe vulns” you will find it. So I emailed the swedish Anons (including Twitter head darkwing) and asked them to put it out on their twitter as a gift to the Swedish people and kinda show that anakata, tiamo and brokep got my support. But I got contact with a lot more countries anons just that I like the Swedes, and anakata and tiamo I really like.”
He says he was not trying to hack Qwest, but rather the NSA, and when he started peeling that onion, it led to the corporate server, which came as a surprise. “Qwest haha yes, well I first looked at the syntax that the NSA use and of course they got rpc-bind (security “code” for their server) and nsa.gov is the front end .” So the actual server could be anywhere, even though it is accepting input that is destined for the NSA.
“What I realized was that I could only find four subdomains, and one of them was smtp.nsa.gov(smtp=email) [a juicy target in the extreme] so I checked it out and found out that it was hosted by Qwest.”
We asked for clarification; just how vulnerable did hosting it at Qwest make the NSA? How serious were the flaws that he identified? “Haha yeah [I said they had] ‘gay ass waf’.” WAF is web application firewall, a protection designed to prevent any but standard, expected, contact between the server and the outside world. Essentially, if a good WAF is in place, known hacks will be prevented from working, and unknown hacks, unless they look exactly like standard, authorized web traffic, will also be blocked.
“Well, what I found was funny was that they had some expensive security on some of their servers but not all. Backup.qwest.com didn’t have that! The backup server also had an old ssh protocol 1.5.” This version is known to have vulnerabilities, and should have been updated. Because it was a backup server, not primary, it was prone to being overlooked.
“I generated some bad characters and added some Python and I got a working buffer overflow for their backup server. This was possible because they kinda don’t update and maintain all of Qwest’s servers.” A buffer overflow is exactly the kind of thing basic security measures are designed to prevent, and the ones in place should have prevented it, had they been updated and maintained.
“The code I created rebooted their server in 10-20min I think. I did it a couple of times just to verify it.” He says it checked out. He didn’t want to set it to cycle crashes regularly, as that would cause serious problems. About the large amount of”garbage text” that was in the Pastebin, he replied that it was, “bad characters that I generated due to the bad encryption in the ssh. If you look at it, its a lot of “58” but not all is 58. The server could not handle so it rebooted.”
He admits that the hack probably wouldn’t work if he tried it again today. “I would guess it doesn’t work cause Qwest have probably seen it and patched it [by now].”
And, last and biggest of our questions, we anted to know why the NSA? Well, it all boils down to that oldest and most painful of hacker burns: “they’re SKIDS!”
I think it’s really important that all people should know that the NSA are just an agency with money, they are not a gang of hard hitting coders. They buy their stuff (using the taxpayers’ money) and then think they are so cool with their gui tools.
When I saw that the paste was deleted, I saw 2 things: the first was that they didn’t hack my account, they went in through a backdoor and deleted it on pastebin. If you look at my pastebin you can see the view numbers are still there. So when NSA realized they couldn’t backtrace me, they did what they do, they use their “power of the blackmail” to blackmail Pastebin, Facebook and Linkedin. This just proves that they should not have or even be an agency cuz they use their power for blackmailing companies to giving them access to their servers just cuz one person showed the world that they suck and they can’t code.
The important thing to remember is that the people will always win. They can’t take us down. Yes, they can try, but they will never succeed. It’s better to make a change for freedom rather then wait for others to do so. What this hack shows is that they are not coders; they can be taken down easy. The buffer overflow I wrote was like just a few lines of code.
In case that wasn’t clear enough, he’s released a new paste with some more details and a pithy intro.
He then goes on to give readers a DOS tool that they can use on any particular site that might have incurred their ire lately. For what it’s worth, Pastebin is still up. No word on how the NSA email servers are doing today, though.
Categories: Anonymous, Anonymous Sweden, Attack, Backdoors, Breaking, Censorship, Cyber, DoS, Facebook, Hackers, Hacktivism, Interviews, News, NSA, PH1K3, Pwnd, Security, SQL Injection
whats his next move then?
Good question. Also, nice URL, I had thought that got taken down years ago.