Secret-spilling site Cryptome was hacked over the weekend, possibly exposing the identities of whistleblowers and other confidential sources, according to a hacker who contacted Wired.com and claimed responsibility for the breach.
The hacker said two intruders from the group Kryogeniks breached the long-running site, where they gained access to a repository of secret files and correspondence. Among them, the hacker claimed, were the records of self-proclaimed WikiLeaks insiders who have been the source of several unconfirmed tips supposedly detailing internal WikiLeaks matters.
Wired.com could not confirm the identity of the hacker, who asked to be identified as “Ruxpin” or “Xyrix.” To verify his claims, the hacker showed Wired.com screenshots of Cryptome founder John Young’s Earthlink account inbox and Cryptome’s directory. The latter showed two WikiLeaks file paths. The hacker also provided a list of about 30 names and e-mail addresses of sources who communicated with Cryptome and the contents of one e-mail exchange between Young and a Wired.com contributor from 2008. The Wired.com contributor and Young have authenticated the e-mail.
The hacker said they broke into Cryptome using a stolen e-mail password for the Earthlink account belonging to Young. They then used the e-mail account to reset the password for his site’s hosting account. The hacker claims they copied 6.8 terabytes of data from Cryptome, though “no files were deleted or altered.”
“Everything was copied for analysis,” one of the hackers wrote Wired.com in an e-mail interview. “Cryptome is an interesting read indeed.” He added that “only data that had relatively new time stamps is being given thought. There is simply too much to sift through.”
Young, reached by phone, confirmed some of the information provided by the hacker but disputed other assertions.
He didn’t know how the hackers got into his site or if data was deleted but said that “all the files were inaccessible,” and that Network Solutions had to restore content from a backup. He disputed the amount of data the hackers say they obtained.
“We had a little over 7 gigabytes, but not terabytes,” he said. “We’ve never had that much.”
Regarding the WikiLeaks insiders, although he acknowledged that some of them communicated with what appear to be e-mail addresses that could identify them, he doesn’t believe they’re actual WikiLeaks insiders and says he’s never done anything to verify their identities, and that the e-mail addresses could have easily been spoofed.
“I’ve not verified any of those and don’t know how one would,” he said. “I’ve been quite skeptical of anyone claiming to be a WikiLeaks insider.”
The hack of Cryptome would seem to illustrate the real value that a site like WikiLeaks offers. Cryptome, a proto-WikiLeaks, has published many important leaks since it was launched in 1996, exposing government secrets and gaffes.
The site, however, doesn’t provide the kind of secure, anonymized submission process that WikiLeaks boasts. Instead, it uses e-mail addresses controlled by Young, raising the risk that sensitive sources could be exposed by this and other hacks. Despite many controversies surrounding WikiLeaks and its founder, that site has never had a security breach, as far as anyone knows. But now Cryptome has.
The WikiLeaks Connection
According to the hacker, Cryptome’s WikiLeaks files contain ample communication between Young and about half-a-dozen supposed WikiLeaks insiders who, out of purported discontent with WikiLeaks founder Julian Assange and his management of the organization, have sent Cryptome unverified tips about supposed malfeasance and other activities inside WikiLeaks.
Young, who has long been suspicious of WikiLeaks’ motives, began publishing the tips this spring, despite expressing doubts publicly about their veracity. The tips prompted the ire of WikiLeaks, which referred to them as a “smear campaign” and has disputed that the sources are insiders.
Cryptome’s hacker claims that although some of the “insiders” initially communicated anonymously with Cryptome using a PGPBoard drop box, they later used personal e-mail addresses for ongoing correspondence, thus potentially exposing their identities to anyone with access to Cryptome’s files.
“Six [WikiLeaks insiders] are on familiar terms with John Young,” he told Wired.com. “Their real names are exposed in their signatures and in their messages. They are using familiar, personal accounts to communicate with Young.”
The hacker noted that “[email protected] writes about problems with their leader and problems with money. He sends a PDF (was published to the site recently), some chat logs, and information about the encryption process for submits that he thinks is suspicious. This is from one of the regulars.”
He declined to identify the WikiLeaks correspondents or the e-mail addresses they used.
“Their privacy is to be respected, and they will not be exposed or compromised,” he wrote. “We believe in preserving the system of transparency that Cryptome and other websites represent.”
The hacker claimed that Young demanded proof from the insiders to verify their connection to WikiLeaks and that “he gets it with ease” from them.
“They are legitimate,” the hacker wrote. “Those who are not, appear to get trolled (John Young is absolutely hilarious) and moved to a different folder.”
Asked if the identities of other anonymous sources of Cryptome were also exposed, he replied, “Yes, all of them are. [Young’s] address books were compromised, and many of the messages were not sent from anonymous emails … there are over hundreds. Too many to easily quantify.”
How They Got In
The whois record for Cryptome, which is hosted by Network Solutions, listed the site contact address as [email protected], one of Young’s accounts.
The hackers got the password for the e-mail account through Earthlink’s customer service center. Earthlink handles customer service for Pipeline accounts and uses a system, called MIDAS, that stores customer passwords unencrypted, in the clear, according to the hacker.
“Any Earthlink employee using MIDAS can do this without effort,” he wrote. “MIDAS is a legacy ssh application that many of the employees do not use, preferring a web interface called Spirtle instead.”
Earthlink did not return a call for comment.
The hacker said Earthlink’s system was breached about a month ago, at which time Cryptome’s login credentials were seized.
Armed with that password, according to a Network Solutions spokesman, the hackers then initiated a password reset for Cryptome’s hosting account using an online form. Network Solutions sent an automated e-mail to Young’s Pipeline account with a link to reset the password. The hackers, who had control of the e-mail account, then used the link to reset the Network Solutions Cryptome password twice — to passw0rd1 and then letmein1 — locking Young out of his account while they rummaged through Cryptome’s content.
The hackers said they decided to breach Cryptome primarily to harass a fellow hacker named Josh Holly, aka “TrainReq,” by posting a message identifying Holly as Cryptome’s hacker. Holly is best known for allegedly hacking into Miley Cyrus’s Gmail account and stealing provocative photos she purportedly sent of herself to singer Nick Jonas.
“Cryptome is a popular website,” the hacker wrote Wired.com. “Many people would have seen the joke (defacement), and the person (Trainreq) would have been subsequently bombarded with inquires about that to which he was clueless.”
The message included a shout-out to fellow Kryogeniks members EBK and Defiant — Christopher Allen Lewis and James Robert Black, Jr. — who were recently sentenced to 18 months and 4 months in prison respectively for a stunt in which they replaced Comcast’s homepage with a shout-out to fellow hackers.
The Cryptome hackers deleted the shout-out to Holly before many people saw it, however. “It did not have the intended effect,” the hacker wrote. “Josh Holly was sleeping and unavailable for trolling.”
They replaced it with another one identifying “Ruxpin” as Cryptome’s hacker. It’s not known if Ruxpin is one of the hackers behind the hack, since the hackers acknowledged they initially intended to point blame for the hack at someone else. It’s also not known if Ruxpin is the real handle for the hacker who communicated with Wired.com.
In addition to the shout-outs, the hackers left a note for Young: “Dear John. Rest assured that the integrity of the data hosted here has not been altered. We like Cryptome and needed your site because it was popular. Sorry. Godspeed.”
Young was not amused and says he’s determined to hunt down the intruders.
“One of the things I’m interested in is how much prowling they did beyond Cryptome,” he said. “Any rummaging in our e-mail is different than rummaging in Cryptome. We’re going to burn his or her ass with that.”