My Analysis of the Rawshark Hack of Cameron Slater’s Communications

By Guest Blogger @Te_Taipo

What I want to discuss here is the attack on the WhaleOil communications network which resulted in a large cache of emails and attachments becoming the centrepiece of Nicky Hager’s book Dirty Politics.

I hope that you the readers, bloggers and users of online services will learn from the mistakes Cameron Slater made, and harden your web applications to minimise the chances of this happening to you.

I will also try to keep this as non-techie and non-geeky as possible …

Background

In January/February 2014 WhaleOil was hacked sometime after he posted a blog post with the headline Feral dies in Greymouth, did world a favour. We were later to find out that the hack was carried out by someone using the pseudonym Rawshark. What do we know about Rawshark from a technical perspective? He or she:

  • was very competent at secure, anonymous and private communications;
  • was very competent at protecting metadata that could lead to his or her identity being discovered;
  • understands the importance of good compartmentalisation of communications; and
  • does not show off, no hacking groups, no fanfare, just in and out.

The hack occurred around the same time that Slater’s website “Whale Oil Beef Hooked” was allegedly taken down by a denial-of-service (DoS) attack. It is not known if Rawshark carried out the alleged DoS attack, or if it was another group, or even if the attack took place, for it could well have been Slater taking his website down to fix it after being hacked by Rawshark. But for now we can only go by media reports that the site was indeed DoS attacked, and that Rawshark was somehow associated with it in some form.

According to Nicky Hager in his book Dirty Politics, some weeks after the hack Hager received an 8 gigabyte USB stick in the mail containing thousands of pages of emails hacked from Slater’s “website”. We have no clue about the extent of the data that came into Hager’s possession, but from all accounts, most of the leaked information was in the form of emails and file attachments, chat logs from GMAIL, and private chats from Facebook.

We do not know if there was other material in the leak, for example from Slater’s home or office computer, or to what extent his infrastructure was invaded. The only option then to form an analysis at any level is to go with what is publicly available and come to tentative conclusions by way of deduction.

The Herald has seen email records which appear to cover 2009 through to 2014

So if we start from the position that the bulk of the information was taken from Slater’s GMAIL account, and ‘possibly’ from his Facebook account, we can then start to discount a few of the possible attack vectors an attacker would use to pull off such an attack.

His Home or Office Computer as the Source of Documents

Firstly we should talk about the culture of bloggers to get a better idea about where potential repositories of private data might be stored. A good attacker would do this mental exercise before mounting any such attack.

Bloggers are not necessarily security experts when it comes to using the internet in a secure manner. Some security experts for all their talk are also crap at this. But what you will find with most bloggers are drafts of documents they might be working on. Drafts are stored on their home or office computers in Word docs, pdfs, and other formats; and drafts are on the website content management systems (CMS) they use, ready to go live (be published) at the appropriate time.

XSS Attack?

Well resourced attackers can take aim at their targets while they are surfing websites that do not enforce HTTPS. This can allow them to inject web browser exploits onto a user’s computer and essentially take over the computer by installing their stuff into hard drives and into the computer’s BIOS.

My guess is that Cameron Slater’s home or office computer at that time would have been a treasure trove of gathered dirt far beyond what was revealed in Nicky Hager’s book Dirty Politics.

However there do not appear to be any local hard drive sourced disclosures in the released material either from Nicky Hager in Dirty Politics or from Rawshark via the @whaledump and @whaledump2 Twitter accounts. The releases are all chat logs, emails and attachments, and drafts of press releases in emails and attachments etc.

For an example of this, check out the @hackingteam hack in which attackers appear to have snatched what appears to be ab entire cache of their network fileserver via a hack of their webserver.

An attacker would typically get their hands on hundreds of gigabytes of info, and not just emails, attachments and chats from online services.

So we can tentatively rule out a phishing attack or XSS attack on a home or office computer …

Smart Phone Hacked?

We also do not see in the released material any cellphone messages from a phone’s text repository. A lost or stolen smartphone is a treasure trove for an attacker because of the widespread habit of having GMAIL accounts, chats, Facebook, Twitter and more all logged in on smart phones purely for the convenience of it all.

Surely with all the text messaging between Slater, Collins and Key we would have seen those come to light. Yet the only text messages we see following the Rawshark disclosures are from non-Rawshark sources.

Now this could mean that Hager chose not to release this material, but of all the material released, there appears to be not one single document that originated from Slater’s home or office computer and not one cellphone text message. We will never know, but the conclusion I come to is that it is most likely that this attack was not aimed at his home or office computer or at his cellphone, but rather was restricted to wherever it was he stored his emails. 

GMAIL Email Repository

GMAIL is a web based email service that used to actively encourage its users to never delete their emails …

A user can also forward a copy of their emails in their GMAIL account to any of a range of other email accounts. In fact a user could forward all emails and never store any in their actual GMAIL account.

So we should not just assume that an attacker broke into Slater’s GMAIL account, even though this appears to be the likely entry point.

So how does an attacker break into someone’s GMAIL account?

There are some really easy ways, and some really hard ways.

The easiest first, in which the target (in this case Slater) has left his GMAIL account logged in on someone else’s computer (we will call that person Attacker/Friend or AF). AF would then have access to that GMAIL account. Even if Slater had logged out of his GMAIL account on AF’s computer, if AF had had the ‘Save Passwords’ feature enabled in his or her web browser, AF could then re-log back into that GMAIL account and siphon off all the emails. And using the most extreme method, AF could use a keylogger to record the username and password as Slater typed them and then later gain access.

This would be a rookie mistake on the part of Slater. Even though I do not rate his security precautions at that time as being anything of substance, this attack method is also rather opportunistic and not at all common when an attacker has decided to directly target someone, as it appears was the case with Rawshark.

How about breaking into a GMAIL login, can that be done?

Password Cracking

Password cracking in GMAIL is difficult because of the flood controls GMAIL uses. Even if Slater used a rather easy to guess password, it would not be easy to break it using the GMAIL login form.

Slater would had to have used a really obvious password like Wh@l3oil for it to be possible for an attacker to guess a password without employing a password cracking rig … but of course this is quite a common type of password structure for most security unaware users of the internet.

After all, bloggers are often just average internet users who happen to be bloggers.

Often it takes an attack like this one before web administrators realise that it is not enough just to know how to administer a content management system, and that in fact you need to learn some security basics as well.

But I am going to tentatively rule out a super easy to guess password…for now, ’cause, well, that would just be too sad … 

Password Reset ‘Feature’

Another possible way into a GMAIL account is through the password reset feature. Even if you enter fake information into this feature, GMAIL has on the odd occasion, emailed a password reset to an attacker’s designated email account, thus allowing them to take over a target’s GMAIL account.

Password reset attacks are not stealth attacks, are rather hit and miss, and this method does not fit the modus operandi of Rawshark who appears to be someone who knows how to research and take down her or his target without them seeing the attack coming.

Remote Exploits

Then there are these little devils called 0days. You can buy them on the so called {{{Darkweb}}}. They are exploits of vulnerabilities found in popular web services that have not been disclosed to the web service developers, and therefore remain unfixed. I do not get the sense that this was how this attack went down, but let’s look at an example. Let’s say someone discovered a way to circumvent GMAIL’s login CAPTCHA (those letters and numbers you have to enter when you get your password wrong), and instead of notifying Google, they could then go to one of these Darkweb sites and sell their knowledge to the highest buyer. An attacker could then use this 0day to password crack easy to break passwords because there would be no flood controls to prevent this.

But again, I do not see this as the approach that Rawshark took, with nothing more than a gut feeling more than any evidence pointing to this conclusion.

Jeremy Hammond Level Attacker

Lastly there is this being called an extremely talented IT exponent. The world is now gifted with a few of these individuals. In my books Jeremy Hammond is one of these people, there are more. Love him or hate him, Hammond was one of the more talented computer attackers I have ever read about – Rawshark could well be such a character.

It is possible although not probable that Rawshark, using her or his own pure talent, found a way in through GMAIL’s security into Slater’s email accounts without the assistance of social trickery or by tricking GMAIL’s password reset procedure. It is a rare thing, but it has happened before.

What other ways are there to get into the repository of emails?

Conveniently enough a GMAIL user can forward all their emails to another email account. I for example have my old GMAIL email forwarded to my Riseup email. So a successful attack on my Riseup email account would net an attacker both sets of emails.

In Slater’s case we do not know if he used any other emails but we do know that he owns a web space where his website was hosted. He also has a domain name and with that we can assume like so many other bloggers at that time, that he had his website hosted on a shared hosting platform that gave out free email accounts in his domain name. For example, if you own the domain name whaleoil.co.nz then it is a trivial matter to set up an email address like support@whaleoil.co.nz.

These shared webspace services also allow for emails to be held in an account on the webserver, so it is possible (but not probable) for Slater to forward a copy of his GMAILs to one of these email accounts as a backup or for whatever reason he deemed necessary.

Unlike breaking into GMAIL, it is much much easier for an attacker to break into a shared webspace.

On a number of occasions people that have dealt directly with Rawshark have referred to the attack as being an attack on Slater’s website although this could well be misdirection.

So this is one potential set of conditions where an attacker, aiming to break into a website for nefarious purposes, cracks the control panel login, and then has access to not only all the website files, but also to the email accounts which may have been preconfigured within the control panel. Then upon digging around , they find Solomon’s Mines of dirt in an email account.

This … is … possible, and happens thousands of times a day on the internet.

So how does an attacker break into a web space, or “website”?

Well the most common method is via insecure code within a website.

Bloggers like Slater use precompiled blog scripts like Drupal, WordPress, Joomla, phpBB or vBulletin. These content management systems (CMS) often have security weaknesses or vulnerabilities that an attacker can exploit between the time the weakness is made known and the time when a blogger/user updates their CMS.

All of the above allow users to add plugins/addons which some of whom have file upload ‘features’ that are incorrectly coded. Even the core CMS itself could also have a vulnerable file upload feature as has been the case.

The attacker using free tools like Joomscan, WPScan, etc, can poke around, find and exploit one of these weaknesses or vulnerabilities and upload a file called a shell which allows them to get full access not just to the website and other websites on a shared webserver, but also to the webserver itself.

An attacker can also get access to your website files via rather simple misconfigurations of webservers that allow them for example to view the contents of a backup directory which contains website database backups.

Slater himself is alleged to have made such an attack on the Labour Party website via a misconfiguration. In that case it was a missing default index file and a misconfigured Apache <Directory> directive setting causing the server to issue a directory listing and allowing the attacker to see all the files in the website directories, and download website and database backups.

By exploiting these vulnerabilities an attacker can get access to at least the database, and in some cases, the login credentials for the CMS.

But so what, that does not get us any emails.

Well yes and no.

We should return again to blogger culture, and common password culture or the lack of it, on the internet. As I said earlier, bloggers are often average internet users who just happen to also have a blog.

Most people know one really good password. And they use that password everywhere – their email accounts, Windows login, Twitter, Facebook, etc . There is a good chance that people reading this themselves use one hard password for everything. It is unbelievably common.

An attacker would assume this, so it would go without saying that if the attacker has been able to bypass security on a website she or he would get access to at least the database password. In the afore-mentioned CMSs the database password can be found unencrypted in the configuration files. The attacker would then try this password on everything, from the CPANEL control panel login, to the CMS admin login, and even to the target’s GMAIL and social media accounts.

It really would not surprise me if this is how the attack went down … attackers will poke around in your stuff using a wide variety of tools and a good nose for misconfigurations, and most of the time  there are always misconfigurations, out of date applications, badly coded addons and more.

Then Things Just Get Worse.

Symlink Bypass Attack

Even with the best security in place, if a blogger or anyone else uses a shared webspace service to host a website that site will probably be vulnerable to what is called a Symlink Bypass Attack. This can be launched from any website hosted on a shared webserver onto any other website hosted on the same server. An attacker for example could register their own website on the same webserver as the target’s website, and thereby gain access.

As an aside, try to avoid shared web services for this reason alone. This attack is still viable even today. Use a dedicated server or at least a VPS … to increase your security.

Via a Symlink Bypass Attack Rawshark would have eventually gained access to the blog admin logins, passwords, database password, database content and even into any active email accounts in the control panel (especially if GMAILs had been redirected into one of these accounts). In fact successful Symlink Bypass Attacks often give the attacker access to even the entire webserver.

Passwords are often stored in databases in the form of a cryptographic hash of the password. If these are not correctly salted, then an attacker can brute force these hashes to find the original passwords. In many cases an administrators easy to guess, short password could be brute forced from the database hashes in a matter of minutes. Then the attacker would now have the raw database password, and an admin user’s password to try out against your other webservices.

If the lazy admin had used one or two passwords for everything Rawshark would have then also had access to Slater’s GMAIL account.

End of Game …

Now, originally I thought this web based attack was unlikely for the following reason. Most attackers that I have witnessed in the past, who had access to their target’s administration login, have defaced the websites homepage with some smart arsed, usually lowercase, uppercase jumbled message.

d3f@c3d bY k0mp3r5t0mp3r

This appears not to have happened in the WhaleOil hack, and that to me was a clue that perhaps the attack did not originate from the website, or there was something really peculiar about this attacker that was outside the norm, or both.

Then something weird happened during the @Whaledump2 disclosures on Twitter that changed my mind a little on that.

Rawshark, or some associate, was posting disclosures on Twitter following the release of Nicky Hager’s book. A court judge ruled that Rawshark should stop disclosing Slater’s private information, and to my utter amazement Rawshark complied. On the day of the ruling Rawshark’s Twitter account ceased posting, and that was that.

See the Radio New Zealand report here.

That was an infosec moment for me. For one thing, for my own amusement I had a list of possible suspects as to who Rawshark could be, but because of this reaction by Rawshark, that list got ripped up.

Why? Well because I do not know or know of ANYONE in that position, using the best methods of anonymity and privacy, who would not have told that judge where to stick the ruling! It occurred to me that who we were dealing with here was a serially good normally law abiding person.

But we are not here to discuss the potential identity of Rawshark, but rather to look at the potential methods used to capture the email and chat repositories of one Cameron Slater. But in those clues alone, my deductions lead me to believe that access to the emails may not have originated from a direct attack on Slater’s website.

So, if you have managed to make it this far, we have these three possibilities:

  • Attacker Friend (AF) who goes feral on Slater and hands Hager the cache;
  • Hit and miss, or gifted attack on GMAIL itself to get access to GMAIL emails; or
  • Attack on the website of a lazy admin where one password is used for both web stuff and emails.

What about the Facebook conversations?

Facebook like any other social media service, depends on the user owning the email account attached to the username. Unless the user has activated 2-factor authentication, an attacker who has control of the primary email account of the target can trigger a password reset on, for instance, a Facebook account and take over a target’s account for a brief time until Facebook is notified.

This is of course a very visible attack and Slater would have seen that coming and possibly stopped it from happening.

Facebook also allows for third party applications, many of which at that time were very insecure. It might have been possible for an attacker to exploit Slater’s Facebook account if he used one of the many vulnerable applications available to Facebook users.

But we need to also take into account the possibility that Slater used one password for all, so if an attacker had guessed the password to the GMAIL account, for example whal3oil or some other variant, then the attacker could have easily gotten into all of his stuff without being seen, and that to me is the clincher.

Summary

As it stands I am still not totally convinced about how Rawshark was able to gather Slater’s communications. What you see above are strong suspicions that do not pass the test in my view for me to form a solid conclusion without more information from either Rawshark or the journalists that interacted with him, or from Slater himself. None of those are likely to be forthcoming, nor should they be.

I said earlier “But I am going to tentatively rule out a super easy to guess password…for now, ’cause, well, that would just be too sad … “

But if Slater was using a master password for everything, then you now know with some certainty the various ways Rawshark could have obtained it. My best guess is that this is a master password issue and that Slater most likely used a really crappy password for his email, and social media, and that Rawshark simply guessed.

…and that really would just be too sad…

A word on Rawshark: Will the police catch Rawshark? Probably not. Most attackers do their attacks via another infected webspace, or VPS, and almost always over Tor.

Tips for Better Blog Security Check List

If you run a political service of any sort online, you may attract the ire of someone who disagrees with you. In Slater’s case he often offends people deliberately or otherwise. It would seem that he did not properly look after his security so that he could talk with impunity the big talk; and someone took offence and took his world apart.

Even if you are not a total prick online…it pays to use the best security methods available, that actually do not cost you the world, but do however take a little time to accomplish.

  1. Memorise at least two 7 word pass phrases using Diceware
  2.  Use a password manager (KeePass/KeePassX, Encryptr) for all your passwords. Use one of these 7 word pass phrases to lock the manager.
  3. Use the other as a pass phrase for your primary email account
  4. Using the password manager, generate a unique password of at least a 128bit password for EVERY web service you use (social media sites, email accounts, web admin logins, banking logins etc). When you use a password manager you are then able to use passwords that are the maximum length allowed. For example, I have tested Twitter passwords as long as 165 characters long.
  5. Host your website on a VPS or dedicated server and NEVER on shared web hosting.
  6. Install an SSL/TLS certificate on your website!
  7. Use 2-factor authentication on your web based services such as email and social media
  8. If you use WordPress, add Pareto Security plugin (since I wrote it), Wordfence and (if you do not have an SSL/TSL certificate) Chap Secure Login
  9. Keep all your web applications and plugins up to date
  10. Make sure there are no publicly accessible backups of your website
  11. Use as few plugins as necessary
  12. Install HTTPS Everywhere and NoScript Security Suite on your web browsers
  13. Encrypt and lock your cellphone.
  14. Encrypt your computer hard drive or use Veracrypt to create encrypted containers to store your files in
  15. Ditch GMAIL and go with secure email services such as Protonmail, Tutanota, and Openmailbox.
  16. For the more security conscious/tech advanced, use TAILS, Whonix or at the very least TorBrowser, as your means of accessing the internet

Finally…

Chur

Kaati noa ra,

@te_taipo