DoD hacked Facebook? Trackback explained

"Mark Zuckerberg Facebook fan page hack: who was behind it?"

http://www.guardian.co.uk/technology/blog/2011/jan/26/mark-zuckerberg-
facebook-fan-hack-investigation

" ... Let's follow up some of the trail left in the Mark Zuckerberg
Facebook fan page hacking incident.

The only – and best clue – is the link left by the hacker in the status
update posted on Zuckerberg's wall, which reads "Let the hacking begin:
if facebook needs money, instead of going to the banks, why doesn't
Facebook let its user invest in Facebook in a social way? Why not
transform Facebook into a 'social business' the way Nobel Price [sic]
winner Muhammad Yunus described it? http://bit.ly/f26rT3 What do you
think? #hackercup2011"

That contains a bit.ly link. Well, you can find out what the original
URL is by adding a plus on the end, so: http://bit.ly/fs6rT3+ From
which we can see that about 17,000 people clicked the link. Not bad
(though we have to say that Julian Assange gets more clicks when he
appears on the Guardian ... but we digress).

The original, shortened link was actually: http://en.wikipedia.org/wiki/
Social_business?
h=d044aeb71f4e466a552708fc6e3863ef&thanksforthecup=https://
www.facebook.com/photo.php%3Fpid%3D393752%26id%3D133954286636768%26fbid
%3D170535036312026

Let's begin with the second part of the long link – the part that
starts "thanksforthecup": it's URL-encoded (so "%3D" actually stands
for the character "=", "%26" for "&") and leads to a Facebook photo
page for the Hacker Cup, a competition run by Facebook itself. So the
hacker is saying he thinks he should get the cup. OK, we get it.

Now, back to the first part. If you just click the link, you'll be
taken to Wikipedia's page about social business. But not the latest
version – to a specific version in its edit history. That is, to http://
en.wikipedia.org/wiki/Social_business?
h=d044aeb71f4e466a552708fc6e3863ef – which is not the same, now, as
http://en.wikipedia.org/wiki/Social_business. If you open them in two
tabs, or just open the first in a tab and click on the "Article" link
in the top left, you'll see it. Go back and forth a couple of times and
you might spot the difference. Yes? No? Have a look at this difference
page, then. (And look at how it was before that edit.)

Yup, the difference is the addition in the first sentence. Usually,
that reads:

"A '''social business''' is a non-loss, non-dividend company designed
to address a social objective"

But in the edited (older) version that you get sent to, the phrase

" much like [http://www.romanstwelve.net www.romanstwelve.net]"

has been added. (The square brackets turn the text into a link going
out to romanstwelve.net). And what does that site do? It offers "total
web consulting" and is based in Pickerington, Ohio.

Crucially, as the picture shows, that edit was only on Wikipedia for
two minutes on Tuesday 25 – between 19.17EST and 19.19EST – indicating
that the hacker must have created the edit with the link and then
deleted it straight afterwards, but kept the link to the version he had
edited. Then he encoded the link for the photo and attached it to the
Wikipedia link, and stuffed the whole lot into bit.ly. Then, having got
the shortened link, he went and updated the status on the fan page. The
timing of the change, and its reversion, indicates that this was the
same person. You don't accidentally link to an old version of a page;
you'd link to the generic version.

In other words, we might be able to find the hacker if we can find out
who changed the Wikipedia page. Unfortunately, it wasn't done by a
registered user. But because of Wikipedia's clever tracking system, you
can see the IP of non-registered users: there it is at the top of the
edit page in the screenshot: 131.74.110.168. You can also see what
articles machines at that IP address have edited – a very mixed bag–-
and also how edits from that IP have been increasingly smacked down by
Wikipedia editors (latest on that page coming from October 2009:
"Please stop your disruptive editing. If you continue to vandalise
Wikipedia, as you did at Lyoto Machida, you will be blocked from
editing."

So who's behind 131.74.110.168? A quick whois query tells you that
it... the US department of defence in Williamsburg.

In other words: this might be someone in the military. Most likely
those edits don't come from one person – they come from all sorts of
people in the Williamsburg location. Or, just as possible, it was
someone who had hacked into the computers there from outside (not as
difficult as you'd hope it would be) and is using them as a proxy to
make the Wikipedia edit, and, quite possibly, hack Zuckerberg's page.
(We've asked Facebook whether Zuckerberg's page was accessed from that
IP, but haven't had an answer yet.)

That's about all the clues we have: a US DOD IP, a transient Wikipedia
page, and a link to a web consulting business. We asked Jeremy Reger,
of Romanstwelve, if he was involved with or knew who was behind the
hacking. His answer is an emphatic no: "Hackers don't link to pages who
then link to pages. I do not have any idea who did the hack." He added:
"I'm sure Facebook would confirm that the IP [address] in the wiki
history in not the same IP that "hacked" the fan page."

That remains to be seen. For now, all we have are the pieces of the
hack. Can anyone add more?

 

More specifically the Logistics Agency which handles pay and
employment. It might be of interest that we have CAC access to the
DLA since we have to coordinate through a range of IPs with MyPay.

IOW, I am your hacker.

*LOL*

Or not. See above.

Or not. See above.

Or not. See above.

duh.

 

What does CAC access have to do with this ?

 

If you have to ask, then you haven't a clue about the requirements to
enter a secured .mil domain.

 

Dude I am fully aware of DoD PKE. I have had a CAC for most of the last
decade and know how to provision AD for CCL, have used all CAC middleware
from NetSIGN through ActivClient, I know what it takes to deal with encrypted
email when transitioning CACs and know what it takes for CAC related SSO.
Even my home PC is CAC compliant.

Now what does CAC have to do with this subject matter ?

 

Asked and answered and if you are as astute as you say, why not log in
to DLA's 131.74.110.168 DNS and Google Group a response back to us.

 

Right. You are just throwing that in to make you look like you know something.
You haven't answered anything.

You don't know shite. You are just a bloody troll Ari.

 

Oooh, wait, you're still here. yYu must have me confused with a
cubicle jailed coder like yourself. No, no, my little one. I suggest
you do your homework on me.

I *hire* coders.

Ta ta.

 

Right. Can't answer because you are a clueless troll who talks big but
when pushed for facts can't provide !


A) What is the date CTO 07-015 poem is due ?
A: Jan 31, 2011

B) CN=DOD CA-24,OU=PKI,OU=DoD,O=U.S. Government,C=US
GemCombiXpresso R4 E72PK
Where does the above come from ?
A: Gemalto GCX4 72K Common Access Card retrieved using ActivClient
v6.1.3.130
-- LIBRARY VERSION --
CSP Library:
Name: accsp.dll
Version: 4-4-0-27
P11 Library:
Name: acpkcs211.dll
Version: 4-4-0-15
BSI Library:
Name: acbsi21.dll
Version: 4-4-0-2

C) Under the JKO Learning Management System, what is the 6th J3T
training module one can enroll in ?
A: J3TA-US032, M9 Pistol Training Course
That is easily obtainable *IF* you had access to Joint Knowledge Online
(JKO)

D) Subsequent to one getting a new CAC on AGM 9.x, what are the THREE
basic constructs one needs to perform ?
A: 1 - Pull old certificate from the Global Acess List (GAL) and
publish new certificate to the GAL
{ You can't work work properly with encrypted email if you don't publish
your certificate to the GAL or if you have multiple certificates in the
GAL }
{ AGM - Army Gold Master v9 (aka; Vista AGM) }

2 - Publish new certificate to Army Knowledge Online (AKO).
{ Can't do Single Sign On (SSO) through your CAC and access Public Key
Infrastructure (PKI) protected web sites if you don't publish your
certificate to AKO }

3 - Recrypt data for Due to Data At Rest (DAR) compliance with new CAC
certificate
{ Data is encrypted via one's CAC for DAR compliance and if you don't
recrypt the data then you lose access to your Profile "Documents" folder
}

E) Why do I need Tumbleweed ?
You need Tubleweed for site and file certificate verification a
certificate revocation (ex. DISA CRL) and it is needed as part of the
Actiove Directory (AD) CAC Cryptographic Login (CCL) authentication
process with an Online Certificate Status Protocol (OCSP) server.

Check Mate!
{ 'nym retired }

 

You still here? Looking for work? I have hired several off Usenet but,
sorry, no openings for you.

*rofl*

 

OK, got an opening for CAC SSO coder, $110,000 per year, will pay to
relocate to Miami FL, email me ASAP.

 

BZZZZZZZZZZT. Times up, you lose, job's assigned. /lol/

 

BZZZZZZZZZZT. <--------------[/QUOTE]

This is the sound of a fly buzzing through Ari's head, in one ear
and out the other.
Ari, we are going to miss you (for a second or two) when you go
over to start posting on alt.buttwipe, because we will then....,
because we will then...., Hell, I can't think of any reason why we
would miss you, you pathetic, limp-dick wannabe.