Hacker says he leaked info on Unix flaw

A self-proclaimed hacker says he stole three unreleased security advisories from a corporate computer and posted them to a public mailing list.

Robert Lemos
Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
3 min read
A self-proclaimed hacker claims to have stolen three unreleased security advisories from a corporate computer and posted them to a public mailing list.

The online vandal,

Reader Resources
Linux/UNIX security

who uses the monicker "Hack4Life," said Wednesday that he stole advisories detailing flaws in a common set of Unix code, the Kerberos authentication system and some implementations of encryption for Web sites. He claims to have stolen them from a firm that had been working with the Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for security information.

"I am not in any way connected with CERT or any of the vendors involved," he wrote in an e-mail to CNET News.com. He added that he wouldn't give further details of the break-in and that he primarily stole the information for amusement and to show off.

The outing of the advisories this weekend caused some consternation in the security world, because the companies involved didn't have time to create patches for the problems before the information became publicly known. When a security problem is found in their products, software makers prefer to release the information after a patch is available.

One advisory outlines a problem with a library originally created by Sun Microsystems that is included in many Unix- and Linux-based operating systems. A second advisory highlights an issue in the Kerberos authentication system that could allow an attacker to impersonate other users. The third advisory discusses a specialized attack that could target servers using Secure Sockets Layer and break the software's encryption.

The CERT Coordination Center had been prepping the advisories for publication. In an interview earlier this week, the organization identified 50 different companies that had access to all three advisories, and Sean Hernan, team leader for vulnerability handling at the CERT Coordination Center, believed one of the firms or one of the firms' employees may have leaked the information.

"Ultimately, if someone chooses to take some information and post it anonymously to some mailing list, there is not a lot we can do about that," Hernan said, stressing that the incident wouldn't change how the group operated. "I think it is an unfortunate event, but I don't think it changes the plan to share information with vendors."

Hernan had suggested that the information could have been stolen by a hacker. Hack4Life's statement Wednesday apparently confirms that.

This is the third episode of early disclosure--or a lack of proper disclosure--of a vulnerability in the past two weeks.

Last Friday, the Samba Team rushed an advisory out to the open-source community after learning that an online vandal may have reverse-engineered a patch under development to identify the vulnerability that the patch was intended to fix. The incident came to light after a server apparently had been compromised by exploiting the vulnerable Samba program, a widely used application for hosting Windows files on a Linux or Unix computer.

On Monday, Microsoft announced that a customer had been compromised the week before by an attacker using a previously unknown vulnerability. The U.S. Army acknowledged that a publicly accessible military server had its security breached by an online vandal using the flaw in Microsoft's Web server software.

The three latest advisories were posted to the Full Disclosure security mailing list. The list, which is only lightly moderated, had been asked to pull down the documents earlier this week but refused, citing that it would be unethical to do so given that the issues were already out in the public.

"I have a philosophy about security problems that everyone should be informed at all costs," said Len Rose, moderator of the list. "If we end up with a group of people...that rely on the Internet but they are the last people to be informed, then that leads to bad security."

Rose understands the mind-set of the underground hacker community. The computer consultant, who had used the monicker "Terminus," plead guilty in 1991 to a charge that he sent proprietary AT&T Unix source code to other hackers.

Now saddled with the task of preventing similar breaches, Rose stresses that knowledge is power.

"I feel that full disclosure is always the best policy," he said. "I believe it was the best way, because it gives those of us who are responsible for the security of companies the information we need to implement defenses."