DoD hacked Facebook? Trackback explained

Discussion in 'Computer Security' started by Anonymous Remailer (austria), Jan 26, 2011.

  1. "Mark Zuckerberg Facebook fan page hack: who was behind it?"

    " ... Let's follow up some of the trail left in the Mark Zuckerberg
    Facebook fan page hacking incident.

    The only – and best clue – is the link left by the hacker in the status
    update posted on Zuckerberg's wall, which reads "Let the hacking begin:
    if facebook needs money, instead of going to the banks, why doesn't
    Facebook let its user invest in Facebook in a social way? Why not
    transform Facebook into a 'social business' the way Nobel Price [sic]
    winner Muhammad Yunus described it? What do you
    think? #hackercup2011"

    That contains a link. Well, you can find out what the original
    URL is by adding a plus on the end, so: From
    which we can see that about 17,000 people clicked the link. Not bad
    (though we have to say that Julian Assange gets more clicks when he
    appears on the Guardian ... but we digress).

    The original, shortened link was actually:

    Let's begin with the second part of the long link – the part that
    starts "thanksforthecup": it's URL-encoded (so "%3D" actually stands
    for the character "=", "%26" for "&") and leads to a Facebook photo
    page for the Hacker Cup, a competition run by Facebook itself. So the
    hacker is saying he thinks he should get the cup. OK, we get it.

    Now, back to the first part. If you just click the link, you'll be
    taken to Wikipedia's page about social business. But not the latest
    version – to a specific version in its edit history. That is, to http://
    h=d044aeb71f4e466a552708fc6e3863ef – which is not the same, now, as If you open them in two
    tabs, or just open the first in a tab and click on the "Article" link
    in the top left, you'll see it. Go back and forth a couple of times and
    you might spot the difference. Yes? No? Have a look at this difference
    page, then. (And look at how it was before that edit.)

    Yup, the difference is the addition in the first sentence. Usually,
    that reads:

    "A '''social business''' is a non-loss, non-dividend company designed
    to address a social objective"

    But in the edited (older) version that you get sent to, the phrase

    " much like []"

    has been added. (The square brackets turn the text into a link going
    out to And what does that site do? It offers "total
    web consulting" and is based in Pickerington, Ohio.

    Crucially, as the picture shows, that edit was only on Wikipedia for
    two minutes on Tuesday 25 – between 19.17EST and 19.19EST – indicating
    that the hacker must have created the edit with the link and then
    deleted it straight afterwards, but kept the link to the version he had
    edited. Then he encoded the link for the photo and attached it to the
    Wikipedia link, and stuffed the whole lot into Then, having got
    the shortened link, he went and updated the status on the fan page. The
    timing of the change, and its reversion, indicates that this was the
    same person. You don't accidentally link to an old version of a page;
    you'd link to the generic version.

    In other words, we might be able to find the hacker if we can find out
    who changed the Wikipedia page. Unfortunately, it wasn't done by a
    registered user. But because of Wikipedia's clever tracking system, you
    can see the IP of non-registered users: there it is at the top of the
    edit page in the screenshot: You can also see what
    articles machines at that IP address have edited – a very mixed bag–-
    and also how edits from that IP have been increasingly smacked down by
    Wikipedia editors (latest on that page coming from October 2009:
    "Please stop your disruptive editing. If you continue to vandalise
    Wikipedia, as you did at Lyoto Machida, you will be blocked from

    So who's behind A quick whois query tells you that
    it... the US department of defence in Williamsburg.

    In other words: this might be someone in the military. Most likely
    those edits don't come from one person – they come from all sorts of
    people in the Williamsburg location. Or, just as possible, it was
    someone who had hacked into the computers there from outside (not as
    difficult as you'd hope it would be) and is using them as a proxy to
    make the Wikipedia edit, and, quite possibly, hack Zuckerberg's page.
    (We've asked Facebook whether Zuckerberg's page was accessed from that
    IP, but haven't had an answer yet.)

    That's about all the clues we have: a US DOD IP, a transient Wikipedia
    page, and a link to a web consulting business. We asked Jeremy Reger,
    of Romanstwelve, if he was involved with or knew who was behind the
    hacking. His answer is an emphatic no: "Hackers don't link to pages who
    then link to pages. I do not have any idea who did the hack." He added:
    "I'm sure Facebook would confirm that the IP [address] in the wiki
    history in not the same IP that "hacked" the fan page."

    That remains to be seen. For now, all we have are the pieces of the
    hack. Can anyone add more?
    Anonymous Remailer (austria), Jan 26, 2011
    1. Advertisements

  2. More specifically the Logistics Agency which handles pay and
    employment. It might be of interest that we have CAC access to the
    DLA since we have to coordinate through a range of IPs with MyPay.

    IOW, I am your hacker.

    Or not. See above.
    Or not. See above.
    Or not. See above.
    Ari Silverstein, Jan 26, 2011
    1. Advertisements

  3. Anonymous Remailer (austria)

    Art Guest

    What does CAC access have to do with this ?
    Art, Jan 26, 2011
  4. If you have to ask, then you haven't a clue about the requirements to
    enter a secured .mil domain.
    Ari Silverstein, Jan 27, 2011
  5. Anonymous Remailer (austria)

    Art Guest

    Dude I am fully aware of DoD PKE. I have had a CAC for most of the last
    decade and know how to provision AD for CCL, have used all CAC middleware
    from NetSIGN through ActivClient, I know what it takes to deal with encrypted
    email when transitioning CACs and know what it takes for CAC related SSO.
    Even my home PC is CAC compliant.

    Now what does CAC have to do with this subject matter ?
    Art, Jan 27, 2011
  6. Asked and answered and if you are as astute as you say, why not log in
    to DLA's DNS and Google Group a response back to us.
    Ari Silverstein, Jan 27, 2011
  7. Anonymous Remailer (austria)

    Art Guest

    Right. You are just throwing that in to make you look like you know something.
    You haven't answered anything.

    You don't know shite. You are just a bloody troll Ari.
    Art, Jan 27, 2011
  8. Oooh, wait, you're still here. yYu must have me confused with a
    cubicle jailed coder like yourself. No, no, my little one. I suggest
    you do your homework on me.

    I *hire* coders.

    Ta ta.
    Ari Silverstein, Jan 27, 2011
  9. Anonymous Remailer (austria)

    Art Guest

    Right. Can't answer because you are a clueless troll who talks big but
    when pushed for facts can't provide !

    A) What is the date CTO 07-015 poem is due ?
    A: Jan 31, 2011

    B) CN=DOD CA-24,OU=PKI,OU=DoD,O=U.S. Government,C=US
    GemCombiXpresso R4 E72PK
    Where does the above come from ?
    A: Gemalto GCX4 72K Common Access Card retrieved using ActivClient
    CSP Library:
    Name: accsp.dll
    Version: 4-4-0-27
    P11 Library:
    Name: acpkcs211.dll
    Version: 4-4-0-15
    BSI Library:
    Name: acbsi21.dll
    Version: 4-4-0-2

    C) Under the JKO Learning Management System, what is the 6th J3T
    training module one can enroll in ?
    A: J3TA-US032, M9 Pistol Training Course
    That is easily obtainable *IF* you had access to Joint Knowledge Online

    D) Subsequent to one getting a new CAC on AGM 9.x, what are the THREE
    basic constructs one needs to perform ?
    A: 1 - Pull old certificate from the Global Acess List (GAL) and
    publish new certificate to the GAL
    { You can't work work properly with encrypted email if you don't publish
    your certificate to the GAL or if you have multiple certificates in the
    GAL }
    { AGM - Army Gold Master v9 (aka; Vista AGM) }

    2 - Publish new certificate to Army Knowledge Online (AKO).
    { Can't do Single Sign On (SSO) through your CAC and access Public Key
    Infrastructure (PKI) protected web sites if you don't publish your
    certificate to AKO }

    3 - Recrypt data for Due to Data At Rest (DAR) compliance with new CAC
    { Data is encrypted via one's CAC for DAR compliance and if you don't
    recrypt the data then you lose access to your Profile "Documents" folder

    E) Why do I need Tumbleweed ?
    You need Tubleweed for site and file certificate verification a
    certificate revocation (ex. DISA CRL) and it is needed as part of the
    Actiove Directory (AD) CAC Cryptographic Login (CCL) authentication
    process with an Online Certificate Status Protocol (OCSP) server.

    Check Mate!
    { 'nym retired }
    Art, Jan 27, 2011
  10. You still here? Looking for work? I have hired several off Usenet but,
    sorry, no openings for you.

    Ari Silverstein, Jan 27, 2011
  11. OK, got an opening for CAC SSO coder, $110,000 per year, will pay to
    relocate to Miami FL, email me ASAP.
    Ari Silverstein, Jan 28, 2011
  12. BZZZZZZZZZZT. Times up, you lose, job's assigned. /lol/
    Ari Silverstein, Jan 29, 2011
  13. BZZZZZZZZZZT. <--------------[/QUOTE]

    This is the sound of a fly buzzing through Ari's head, in one ear
    and out the other.
    Ari, we are going to miss you (for a second or two) when you go
    over to start posting on alt.buttwipe, because we will then....,
    because we will then...., Hell, I can't think of any reason why we
    would miss you, you pathetic, limp-dick wannabe.
    Dave U. Random, Jan 29, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.