Attacks/Breaches
5/16/2014
02:00 PM
Connect Directly
RSS
E-Mail
50%
50%

Gawker Attacker Turned FBI Informant, Pursued Other Hackers

Unsealed court documents reveal that "Eekdacat" hacked Gawker, but related charges were dropped after the hacker helped the FBI nab other hackers.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

The hacker behind the notorious theft of up to 1.3 million passwords from Gawker media sites in 2010 has been revealed.

Thomas Madden, a.k.a. Eekdacat, was arrested on related charges at 6:15 a.m. on June 29, 2011, by FBI agents, according to newly unsealed court documents. But in return for the man's cooperation and in light of his autism, the Department of Justice deferred -- and ultimately dismissed -- charges related to the theft of passwords from Gawker, the Smoking Gun reported Thursday.

According to an "ex parte and sealed application and affirmation" filed in federal court -- on the day Madden was arrested -- by assistant US attorney Rosemary Nidiry, "the defendant actively is cooperating with the government... [and] has provided the government with detailed information concerning the activities of certain individuals who are suspected of being involved in unauthorized computer intrusions or 'hacks' into various computer networks of several well-known corporations."

[The Danish security group CSIS warns of a banking Trojan reaching customers in new countries. Read Zeus 'Gameover' Trojan Expands Global Reach.]

For Madden's safety, however, Nidiry argued that his assistance should be kept secret, and that court documents should refer to him as "John Doe" until the government wrapped its related observations.

This is the first time that the attacker behind the December 2010 hack of Gawker media sites has been identified. At the time of the hack, a self-proclaimed participant in the "Gnosis" hacking effort said it had been launched in response to the media site's "arrogance" at having told WikiLeaks supporters to "bring it on."

According to a criminal complaint filed June 27, 2011 -- the day after the Gawker hack -- Eekdacat told an online friend that he'd written the Gnosis-related communications and boasted that "over 1 million people got compromised because of me." He also said that the Gawker passwords were "crypt(3) salted MD5 and DES," and that he'd already cracked about 200,000 of them. In response to a question about whether Gawker's software was up to date, he said, "The encryption was over 10 years old I forget their OS was like 9 updates behind big updates."

Madden, who's now 26, declined to discuss his hacking activities with the Smoking Gun, except to say that he's had "no contact with those people" since his arrest.

An emailed request for comment sent to a Hushmail address through which Eekdacat previously communicated with InformationWeek bounced back with a "user unknown" error message.

For IT administrators, when it comes to stopping hackers of Madden's ilk, the takeaway isn't rocket science: Use up-to-date, patched versions of all Internet-connected software; properly secure passwords; and avoid purposefully antagonizing would-be attackers. Conversely, given the current hacking state of the art, businesses that fail to follow those basic precepts shouldn't be surprised if their sites and databases get hacked and their contents "doxed" for all to see.

One consolation for businesses that get doxed is that many hackers who publicly release stolen data have a difficult time avoiding arrest. According to the criminal complaint, for example, the FBI was handed Madden on a platter after he left online clues as to his actual IP address, which were spotted by a group of third-party researchers calling themselves the A-Team.

The complaint also cites a number of online chats between Madden and a fellow university student. According to the Smoking Gun, the FBI obtained the chats after Madden and the student had a falling out, after which Madden opened a Yahoo account under a fake name and emailed the other student's teachers, accusing him of cheating. Subsequently, the unnamed student shared the chat transcripts with the bureau, triggering an investigation by a criminal cyber intrusion squad lead by FBI agent Olivia Olson.

Those facts square with previous reports that Olson compiled two warrants relating to two confidential witnesses who were both arrested on June 29, 2011. Both were also put through psychiatric exams.

According to the complaint, while Madden went by Eekdacat in the online chats, he referred to himself at least once as Tom. In addition, the complaint noted that Eekdacat had been referenced in a document posted to Pastebin on June 25, 2011, by the A-Team that offered clues to LulzSec members' identities. The document included

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/18/2014 | 11:23:25 AM
Stay Ahead of the Curve
I think the most important message in this scenario is to always patch and stay current. Having an outdated OS and outdated encryption (regular DES) is two huge vulnerabilities to your enterprise saftey. Resolving these won't stop zero day attacks but it will help your network from being wide open.

Also, I am not sure what being autistic has anything to do with the judgment. I believe that is irrelevant in nature to this case. I am glad that he saw fit to cooperate after his capture. Hopefully, this resulted in the prevention of many future attacks. Thoughts?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5452
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations.

CVE-2014-6041
Published: 2014-09-02
The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.