A Russian hacker group that goes by the name of W0rm hacked CNET.com over the weekend. In a conversation between W0rm and CNET, W0rm revealed that they used a security hold in CNET.com’s implementation of the Symfony PHP framework. W0rm has previously claimed credit for online security breaches of BBC, Adobe Systems, and Bank of America. In the weekend attack, W0rm was reportedly able to steal a database of over 1 million registered CNET users. The data stolen includes names, emails, and encrypted passwords. The breach was first realized when W0rm teased a carefully edited screenshot of CNET.com’s source via twitter on 7/12/14.
On 7/14/14, W0rm briefly offered to sell the entire database for the grand sum of 1 Bitcoin, W0rm’s tweets to that effect have since been removed.
According to CNET.com, which is owned by CBS Interactive, during direct communication between CNET and W0rm, W0rm indicated that the group had no plans to decrypt the passwords or to complete the sale of the compromised database for 1 Bitcoin. W0rm admitted that the sale of the database was offered in order to generate publicity for the hack. Other user database leaks over the course of Internet history have not been so well-managed. For their part, a CBS Interactive spokeswoman admitted that “a few servers were accessed” but emphasized that “we identified the issue and resolved it a few days ago.” Regardless, experts, such as those at HOTforSecurity, remind users that CNET hasn’t revealed what encryption algorithm was used on the passwords or if salting was employed; as such, it is recommended that all CNET users change their passwords and make sure that no other accounts are using the potentially compromised password.
According to CNET, “W0rm claims that its goals are altruistic, and that it hacked CNET servers to improve the overall security of the Web. By targeting high-profile sites, the group says it can raise awareness about security flaws.” CNET also quotes W0rm as saying in their Twitter exchange: “[W]e are driven to make the Internet a better and safer [place] rather than a desire to protect copyright. I want to note that the experts responsible for bezopastnost [security] in cnet very good work but not without flaws.”
The careful release of the details of the hack, and the lack of a database release have led some to believe that W0rm might actually have the best intentions of the world’s netizens in mind.
What Does Google’s Project Zero Have To Do With It
W0rm has tweeted out Google’s recently announced Project Zero, a security project led by Google’s Chris Evans. Evans has worked for Google’s Chrome Security division for the last five years and is now leading a new, well-staffed team to target security online. Their stated goal is to counteract the fear that a criminal or state-sponsored actor is exploiting bugs or trying to infect your computer. To accomplish this, the Project Zero Team “will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the techniques, targets and motivations of attackers.” The team will work transparently, and all discovered bugs will be filed to an external database which will then be shared with the software vendor. The bug report won’t be released to the public until a patch is available. Project Zero is looking to hire security professionals and will also be extending existing Google programs which include “popular reward initiatives and guest blog posts.” It almost seems like W0rm just finished a performance-grade audition to commemorate Project Zero’s launch.
Featured image from Shutterstock.
Update; 7/23/14: Forbes’ Thomas Brewster takes the opposite viewpoint as me, and I fear he may be right.