Mr. All-knowing Super-hacker/psychologist Mefite, I need your help securing our IRC conversations...
July 16, 2008 11:47 PM Subscribe
Some really important info was leaked from our private IRC channel on our own server. Luckily, it was something that most people wouldn't believe without real proof, which the leaker didn't really have. So we're glad to have not been in a real shit-hit-the-fan situation yet. Can you find the weak link, or atleast offer suggestions on how to stop this from happening again?
A little bit of info about our setup... We own our own dedicated server which runs a public IRCD (UnrealIRCD latest stable version if you're curious). On this network, we have our own invite-only private channel which only about 10-14 people have access to. The channel is +i and +k with a large enough key that cannot be bruteforced. On top of that, we use FiSH encryption (blowfish) inside the channel. The key for the channel is exchanged/given to others after initiating a PM session which is also blowfish encrypted after a Diffie-Hellman 1080 key-exchange. So we're pretty sure that our encryption key hasn't been sniffed at any point. Plus, even having the dedicated server rootkitted/trojanned wouldn't compromise our encrypted talk since it's only forwarding encrypted packets. All of us connect using one of the two clients - mirc and xchat.
The only way to get something from this channel that I can think of is either someone leaking the info by mistake or on purpose, or people with trojans or keyloggers. We're pretty sure none of us are infected after running multiple scans for rootkits, viruses/trojans and checking outgoing/incoming connections and processes. But it obviously cannot be ruled out since none of the tools are 100% trustworthy when it comes to detection. About someone leaking info from here, well, I'd like to think it's impossible. All of us have been a part of this channel for upwards of a year now, would trust each other, and have had access to a lot more important stuff than what was leaked. If someone wanted to make a profit off it, they could have done so quite a long time ago... Again, not ruling it out, but if there is another explanation for this leak, I'd put my faith in it being that one instead of the theory of a leaker.
The info was posted on a bunch of public forums. We're friends with the admins of all those public forums and had access to the poster's ip. Unfortunately, all of them were known TOR ips, so we cannot really find out who it was.
So, super-hacker mefites, find our weak link, and offer me suggestions on how I/we can make it even more secure. If you're a super psychologist (or is it psychiatrist?), you can even offer suggestions on how I could find the leaker by observing behavior patterns. Thanks!
anonymous throwaway mail for this question: mefitempmailacc@gmail.com
A little bit of info about our setup... We own our own dedicated server which runs a public IRCD (UnrealIRCD latest stable version if you're curious). On this network, we have our own invite-only private channel which only about 10-14 people have access to. The channel is +i and +k with a large enough key that cannot be bruteforced. On top of that, we use FiSH encryption (blowfish) inside the channel. The key for the channel is exchanged/given to others after initiating a PM session which is also blowfish encrypted after a Diffie-Hellman 1080 key-exchange. So we're pretty sure that our encryption key hasn't been sniffed at any point. Plus, even having the dedicated server rootkitted/trojanned wouldn't compromise our encrypted talk since it's only forwarding encrypted packets. All of us connect using one of the two clients - mirc and xchat.
The only way to get something from this channel that I can think of is either someone leaking the info by mistake or on purpose, or people with trojans or keyloggers. We're pretty sure none of us are infected after running multiple scans for rootkits, viruses/trojans and checking outgoing/incoming connections and processes. But it obviously cannot be ruled out since none of the tools are 100% trustworthy when it comes to detection. About someone leaking info from here, well, I'd like to think it's impossible. All of us have been a part of this channel for upwards of a year now, would trust each other, and have had access to a lot more important stuff than what was leaked. If someone wanted to make a profit off it, they could have done so quite a long time ago... Again, not ruling it out, but if there is another explanation for this leak, I'd put my faith in it being that one instead of the theory of a leaker.
The info was posted on a bunch of public forums. We're friends with the admins of all those public forums and had access to the poster's ip. Unfortunately, all of them were known TOR ips, so we cannot really find out who it was.
So, super-hacker mefites, find our weak link, and offer me suggestions on how I/we can make it even more secure. If you're a super psychologist (or is it psychiatrist?), you can even offer suggestions on how I could find the leaker by observing behavior patterns. Thanks!
anonymous throwaway mail for this question: mefitempmailacc@gmail.com
Even if you're 98% sure that any given person didn't leak the information, if there are 14 people you're down to only a 75% chance of everyone not leaking something.
Hypothetically, the same 'bug' that caused Cat Schwartz's topless photos to be revealed might have caused someone to accidentaly send a screenshot or something that had a chat log in the background revealed in the uncropped thumbnail.
posted by 0xFCAF at 12:41 AM on July 17, 2008
Hypothetically, the same 'bug' that caused Cat Schwartz's topless photos to be revealed might have caused someone to accidentaly send a screenshot or something that had a chat log in the background revealed in the uncropped thumbnail.
posted by 0xFCAF at 12:41 AM on July 17, 2008
You say your computers are secure and you trust all of the people. Clearly one of these is wrong.
Since people are always the weakest link in security I'll apply Occam's razor and say that's where the problem is here.
I'm guessing not everyone is logged in at all times. Compare all of the posted logs you can find with a record of who was logged in and when. Cross everyone off the list who wasn't logged into all of those sessions and what's left are your suspects. If the messages are timestamped locally maybe you can narrow it down by time zone. You can maybe use the time of posting the leaks to narrow it further if you know people who would have been incapable of, or unlikley to post at that specific time.
Also does your server keep logs of the IRC sessions? Who has access to the logs, and are you absolutely sure about that?
The usual way to find out who is spying is to feed all of the suspects different misinformation and see what shows up, but not knowing the nature of the information or your communication I can't suggest a good way to do that.
posted by Ookseer at 12:43 AM on July 17, 2008 [1 favorite]
Since people are always the weakest link in security I'll apply Occam's razor and say that's where the problem is here.
I'm guessing not everyone is logged in at all times. Compare all of the posted logs you can find with a record of who was logged in and when. Cross everyone off the list who wasn't logged into all of those sessions and what's left are your suspects. If the messages are timestamped locally maybe you can narrow it down by time zone. You can maybe use the time of posting the leaks to narrow it further if you know people who would have been incapable of, or unlikley to post at that specific time.
Also does your server keep logs of the IRC sessions? Who has access to the logs, and are you absolutely sure about that?
The usual way to find out who is spying is to feed all of the suspects different misinformation and see what shows up, but not knowing the nature of the information or your communication I can't suggest a good way to do that.
posted by Ookseer at 12:43 AM on July 17, 2008 [1 favorite]
Occam's razor. Someone in your group posted the information.
Do you have logs that cover the time period the sensitive information was discussed on the channel? That would give you a list of likely suspects.
And ten to fourteen people? There are four people that might have access, but you don't know? That doesn't sound particularly secure despite the precautions you've taken.
If you're speaking literally about people making a profit off this information, you might want to consider having your team members sign a non disclosure agreement. At the least, I would create a new channel on a different server and start the invite process over again.
As for the psychology...I'd say you posted the information and this AskMe is a clever ruse to cover your tracks. Dun dun DUN!
posted by Loser at 12:46 AM on July 17, 2008
Do you have logs that cover the time period the sensitive information was discussed on the channel? That would give you a list of likely suspects.
And ten to fourteen people? There are four people that might have access, but you don't know? That doesn't sound particularly secure despite the precautions you've taken.
If you're speaking literally about people making a profit off this information, you might want to consider having your team members sign a non disclosure agreement. At the least, I would create a new channel on a different server and start the invite process over again.
As for the psychology...I'd say you posted the information and this AskMe is a clever ruse to cover your tracks. Dun dun DUN!
posted by Loser at 12:46 AM on July 17, 2008
Of the 10-14 people who have access, do any of them have disgruntled husbands/wives, boyfriends/girlfriends, children, or other people in their lives who could have stumbled upon their already-logged-on computer and/or their log-in information? Perhaps the leaker isn't one of your core group of 10-14 people, but it certainly might be someone in a larger circle.
posted by amyms at 1:10 AM on July 17, 2008
posted by amyms at 1:10 AM on July 17, 2008
I would agree with all the posters suggesting Occam's razor; that one of your people is responsible. But also bear in mind Hanlon's razor: Never attribute to malice that which can be adequately explained by stupidity.
posted by alby at 3:26 AM on July 17, 2008 [2 favorites]
posted by alby at 3:26 AM on July 17, 2008 [2 favorites]
Someone posted it - you weren't compromised.
Time for a witch hunt!
posted by unixrat at 6:09 AM on July 17, 2008 [1 favorite]
Time for a witch hunt!
posted by unixrat at 6:09 AM on July 17, 2008 [1 favorite]
OP doesn't say "transcript" does s/he? The word was "information" -- so was it in fact a transcript / screenshot which limits the information vector to that IRC channel, or was it simply the information itself. Could a conversation have simply been overheard, or the information obtained by the Tor poster from somewhere OTHER than the IRC channel?
posted by tyllwin at 6:12 AM on July 17, 2008
posted by tyllwin at 6:12 AM on July 17, 2008
I'd say it's a wetware attack too, either intentional leak or sloppiness. Specifically this: "The info was posted on a bunch of public forums. We're friends with the admins of all those public forums and had access to the poster's ip." says intential leak to me as it is kind of convenient that the information was targeted just to boards where you're familiar with the mods. Is some kind of side drama possible like relationships between members or money owed? Scorned lovers can be batshitinsane.
posted by Mitheral at 7:01 AM on July 17, 2008
posted by Mitheral at 7:01 AM on July 17, 2008
So the connection was secure but it seems to me that wouldn't be the weakest link even if it wasn't secure.
Were all the participants in the discussion each the only person to ever have physical access to any computer they ever used on the channel? It seems to me that physical access to the machine is the most likely explanation.
posted by winston at 7:05 AM on July 17, 2008
Were all the participants in the discussion each the only person to ever have physical access to any computer they ever used on the channel? It seems to me that physical access to the machine is the most likely explanation.
posted by winston at 7:05 AM on July 17, 2008
This thread is closed to new comments.
But were any of them using unsecured computers or wireless networks? What about trojans and rootkits on their "secure" computers? What about memory sticks or that sort of thing?
It seems to me if you have no evidence of intrusion you must consider another route for the information. If it reaches someone else's computer that you don't control, well, all the security in the world on your server is useless.
posted by dhartung at 12:22 AM on July 17, 2008