The server hosting Hak5.org and the Hak5 forums was hacked.

[Matt Lestock]

actually that is deags, he's just being deags :\

Matt

[Seshan]

actually that is deags, he's just being deags :\

Matt

Yeah I kinda had that feeling. But still.

[Signal Hacker]

Look at the article about the hak5 attack that was just published in zf0, issue 5.

It doesn't matter that the passwords were stored hashed and salted...the attackers were sniffing them in real-time whenever someone tried to authenticate at the login page through some SSL exploit. I found my own info amidst the pages and pages of password dump: three different login attempts I made one day when trying to login to the forums.

Attacks like this make hashes, salting, and strong passwords meaningless (passwords were pretty meaningless already).

[joeypesci]

Look at the article about the hak5 attack that was just published in zf0, issue 5.

It doesn't matter that the passwords were stored hashed and salted...the attackers were sniffing them in real-time whenever someone tried to authenticate at the login page through some SSL exploit. I found my own info amidst the pages and pages of password dump: three different login attempts I made one day when trying to login to the forums.

Attacks like this make hashes, salting, and strong passwords meaningless (passwords were pretty meaningless already).

Thanks. I think everyone should be made aware of this, that its out there in the public domain. Just scanned the ezine and my details are in there too. Just checked, and although not too big a deal, idiot me used the same password for other sites. One site now appears to have had its account deleted, which I never did and another site I think the same. So if not them, someone is using the data they've released for nastiness. Not important accounts though.

Good to see Matt fixed it all and would be great to for them to do a segment, as Darren mentioned they might, on how it happened and how to combat against it.

[Signal Hacker]

Here's a link to it, for those having trouble finding it (can also be found other places on the web):

http://freedomisnothingtofear.com/th28gaa1g.txt

Most of it is snide commentary, insults, and a metric sh*t-ton of dumps from the shell command history, ls, the shadow file, and other "trophies"....including that dump of every login attempt to the forum made while these asshats were MitM'ing it.

EDIT: Something keeps changing the link when I try to type it and post it here.............it's "www.freedomisnothingtofear.com" then a "/" then "zf0.txt"

[moonlit]

I imagine there's probably a filter kicking in somewhere. Not that it really matters, it's all over the net anyway, no sense trying to hide it.

[jzman]

I did find the link and it shocked me... it amazes me how much this guy had no morals and was very 'selfish' and inconsiderate in what he did. The way he talks about hak5 makes me want to knock the F$%*&^@ $h1# out of him if i ever met him, and makes me think that he is one of the most ignorant, shallow SOB's out there. But i will say, it is important that people need to start getting better passwords/passphrases and change their hak5 pass atm if they currently have not, and any pass related to it... not because of the hacker using the passes (which he clearly stated that he might be back but i have absolute confidence in matt, mubix, and all of the other admins in play here) but because of some noob will find that file and use that file for not so swell intentions. Otherwise, people if you find the file please do not share it, and please do not be a douche with it, that will get you no where. Other than that that i think the lesson was learned, and not just to certain people but to me as well, and i probably could say everyone here. Cheers, hope everything goes well.

P.S. Matt, mubix, vako thanks and stay positive :)

--jzman

[digip]

edit:

I think if anyone who hasn't bother to change their pass, should do so upon reading this then. I wonder though, if they still have access to the site without anyone knowing. Based on the fact that they have ALL the forum passwords right there in plain text, it pretty much makes you wonder how long and how much further its going to go. How many peoples personal sites and lives will be attacked because of one breach, since a lot of people here have sites of their own, I'm sure there will be attempts at others from the forums because of this.

I still think their work is counter productive. They claim to be hackers, but just because they can do this does not mean they earn respect from others. Might make them popular for a while, but its like everything they seem to go against, they will one day be the "Kevin Mitnicks" and "Dan Kaminskys" of the web. Defacement and deletions of peoples sites is criminal intent at minimum, not a show of skills, but a show of stupidity. Its like robbing a bank and then mailing the money to the police with your return address, just so you can become famous. They are as much what they protest against more than anything...

[joeypesci]

Hmmm, seeing this

http://mashable.com/2009/07/10/imageshack-hacked/

and the threats made in it, they are now crossing the line and governments will class them as terrorists. Anti-terror laws will be used to try and stop them. I know it won't stop them but they should be aware they'll more than likely be treated as terrorist now.

No doubt the US will charge Gary McKinnon under the terrorist act.

http://en.wikipedia.org/wiki/Gary_McKinnon