September 24th, 2008

Bill O'Reilly's web site hacked, attackers release personal details of users

Posted by Dancho Danchev @ 5:56 am

Categories: Hackers, Passwords, Pen testing, Phishing, Privacy

Tags: Bill O'Reilly, Sarah Palin, Wikileaks, Hacktivism, Hacking, Security, Dancho Danchev

In what is slowly turning into a endless loop of hacktivism activities, Bill O’Reilly’s BillOreilly.com has been compromised during the weekend, with personal details including passwords in plain text for 205 of the site’s members already leaking across Internet forums, as a response to his remarks regarding Wikileaks as a “one of those despicable, slimy, scummy websites” which recently published private information of Sarah Palin’s private email.

On Friday, Wikileaks issued the following press release :

“Fox News demagogue, Bill O’Reilly, has been hacked and the details passed to Wikileaks. Wikileaks has been informed the hack was a response to the pundit’s scurrilous attacks over the Sarah Palin’s email story–including on Wikileaks and other members of the press, Hacktivists, thumbing their noses at the pundit, took control of O’Reilly’s main site, BillOReilly.com. According to our source, the security protecting O’Reilly’s site and subscribers was “non-existent”.

The following image, submitted to Wikileaks and confirmed by Wikileaks staff, offers proof of the hack. The image, clearly obtained from BillOreilly.com’s administrative interface, shows a detailed list — including passwords — of BillOreilly.com subscribers. Although Wikileaks has only released one page, it must be assumed that Bill O’Reilly’s entire subscriber list is, as of now, in the public domain.”

How did they do it “this time”?

According to the article at Wikileaks, the hacktivists seem to have been brute forcing the URL for the administration panel, and once successfully finding it, access the unencrypted data :

“According to Marston, the hackers were able to access the list by trying a large number of variations of the website’s administrative URL. He said all affected members have received an email and a phone call informing them of the breach and urging them to change their password. The site has since been completely locked down, Marston said.”

Moreover, it’s also worth pointing out that the passwords were stored unencrypted, evidence of the practice can also be seen within the screenshots of the admin panel. As far as the website’s administrative URL is concerned, it has since been changed once it leaked online (w3.billoreilly.com/pg/jsp/admin/managecustomers/newpremiummembers.jsp), which isn’t excluding the opportunity for abuse of the subscribers email addresses in spear phishing attacks, “for starters” since some of the users have already admitted of using the same password at different web sites, including PayPal.

The impact of the breach, and the measures taken to notify the victims according to the site :

“The BillOReilly.com site experienced a minor hacking incident on Friday, September 19th, 2008.

** ALL CREDIT CARD INFORMATION FOR EVERY MEMBER IS SAFE
** NO MEMBERS WHO JOINED BEFORE WEDNESDAY, SEPTEMBER 14th, 2008 WERE AFFECTED AT ALL.
** 205 new Premium Members who signed up last week had their name, hometown, email address, & BillOReilly.com password stolen.
** We have contacted those 205 members by email and telephone.
** We are working with the proper authorities to track down the perpetrators. “

Another personal message issued by Bill O’Reilly regarding the process of tracking down the “perpetrators” was posted on Sunday :

“The FBI and Secret Service are close to indicting some of the perpetrators and we will keep you posted when the arrests are made. All premium members receive the full backing of our legal team and if anyone is hassled in the least, please inform us immediately. In the latest case, no proprietary information was obtained by hackers and we have safeguards in place to protect everyone who does business with us.

Rest assured that we are on this. Our defense of Sarah Palin has led some criminals to attempt to disrupt our enterprise. At this moment federal authorites and our attorneys are compling information against these people. Again, if any person is bothered in any way - please let us know. We stand behind our products but, most importantly, we stand behind you. We’ll get the bad guys. Count on it.

Bill O’Reilly
9/21/08″

Who’s claimed responsibility? 4chan members planning at Ebaumsworld using “secret words” :

“According to my source this is a common tactic among the secret hacking group hidden amongst the users of ebaumsworld. he states “yeah we will start planning on 4chan so ebaums doesnt get in trouble…we use secret words and stuff to let the others know who we are” when i asked why he was telling me all this he said “man this has just gone too far.. at first it was a joke then we found out that the same usernames and passwords worked for those peoples paypal accounts and im afraid of what they will do.”

It appears that the “forum fraction” is also planning a DDoS attack against BillOreilly.com according to this interview, which wouldn’t be the first time the site has been under DDoS attack, and definitely not the last. From an analyst’s perspective, nation2nation hacktivism conflicts always provide the best and most accurate understanding of a particular’s country’s capabilities into this space, compared to hacktivism actions basically sticking to the standard practices as DDoS attacks, which just like any tip of the iceberg receive most of the attention due to the ease of measuring their impact next to the rest of the hacktivism tactics used.

The bottom line - good time to point out why you shouldn’t use the same password on different web services, and that the big picture having to do with Wikileak’s vision of a little less secrecy, and a little bit more transparency, ultimately better serves the world and gives power to the people whose collective consciousness, if not brainwashed, is supposed to be shaping the way we live.