Vulnerabilities / Threats

12:25 PM

Anonymous Builds New Haven For Stolen Data

Saying Pastebin has censored its posts, Anonymous creates AnonPaste, a new site where hacktivists can dump stolen data.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)

Anonymous, together with a group known as the Peoples Liberation Front, Tuesday announced the immediate availability a new website for hacktivists to dump their stolen ("doxed") data.

Dubbed AnonPaste, the website has been created as an alternative to Pastebin and other websites that allow people to anonymously upload large amounts of text, the two groups said in a joint press release. Shared content can be set to expire after 10 minutes, an hour, a day, a month, a year, or never. In addition, the site promises to remain advertising-free and unmoderated, maintain no connection logs, and store only encrypted data.

The AnonPaste site says, "[The] server has zero knowledge of data being stored. Your data is safe even in case of server breach or seizure." But it cautions that in the event that a hacker manages to successfully install "crooked JavaScript" libraries, future pastes could be captured.

AnonPaste, which accepts donations via WePay and BitCoins, was built using the open source ZeroBin software, which doesn't record the IP addresses of uploaders. In addition, the software encrypts and decrypts all text in the browser--before uploading it--using 256-bit AES encryption. The software also automatically convert URLs into clickable links.

[ Anonymous members don't always cover their own tracks. See Anonymous Hackers Not Smart On Anonymity, Feds Say. ]

But should would-be submitters of anonymous information trust the software on which AnonPaste is based? ZeroBin was created by, and is hosted on the personal website of, Sebastien Sauvage, a French developer with experience in developing online payment and authentication systems for French banks, which suggests he brings relevant knowledge to bear. Likewise, the software's tagline--"Because ignorance is bliss"--suggests that the software has been purpose-built to keep anonymous submissions anonymous.

But the ZeroBin software itself comes with numerous cautions: it's a "test service" and data may be deleted at the administrator's discretion. The ZeroBin site also warns, "Kittens will die if you abuse this service." That suggests that the server software hasn't been stress-tested against--or possibly, built to resist--the types of distributed denial-of-service attacks to which sites like Pastebin have been subjected.

Why the need for a new Pastebin? In part because Pastebin hasn't warmly embraced hacktivists who use it as a dox dumping ground. In fact, the site was created by Paul Dixon back in 2002 as a place for programmers to share snippets of source code. After 20,000 Hotmail account credentials were leaked via a Pastebin post in 2009, Dixon temporarily took the site offline while he added modifications to help prevent such data dumps.

Regardless, after the site was sold to Dutch entrepreneur and programmer Jeroen Vader in 2010, Pastebin became the go-to site for LulzSec to release dox or brag about attacks. By the middle of 2011, the site was recording its highest levels of traffic ever.

At the time, Vader told Social Media that the site had put a system in place to deal with takedown requests over sensitive data that ends up on the site, and said the site "always complies with requests from authorities."

But earlier this month, Vader apparently triggered hacktivists' ire with comments he made to the BBC when discussing the 1,200 daily abuse reports the site receives, requesting that specific posts be erased. "I am looking to hire some extra people soon to monitor more of the website's content, not just the items that are reported," Vader told the BBC. He also noted that the site, which records the IP address of every uploader, tends to comply with requests from authorities for that IP information, provided they have a proper court order.

Vader's revelations led to a backlash from the Anonymous set, which took to Twitter to accuse him of practicing censorship. Many also began promoting alternatives to Pastebin for would-be document dumpers.

Interestingly, AnonPaste wasn't the only Anonymous version of a popular service to debut this month. Another service being talked up by Anonymous fans has been TalkOpen, which offers itself as an alternative to Twitter that will never share users' information with outsiders. The site runs on StatusNet, which is free, open source "microblogging" software that offers a Twitter-like, stream-oriented interface.

But the service offers some non-Twitter-like promises. "This service will NOT comply with court orders to turn over your private information," states the TalkOpen FAQ. "We aim to run a secure yet private service, and doing this would defeat the purpose of TalkOpen. In cases regarding child pornography or murder however, we will comply."

Of course, talk is cheap when it comes to promising to keep customers anonymous at all costs, since in the event of a court order, the site's administrators might be forced to share information with authorities or risk imprisonment, not to mention seeing their site forced offline. A whois lookup of the "TalkOpen" domain name reveals that the server running the site is hosted in France, by French ISP Ovh Systems. Notably, its terms of service state that it can discontinue service for any customer that doesn't comply with its code of conduct, which requires customers to abide by all applicable French laws and regulations, as well as the intellectual property rights of others.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/21/2012 | 8:48:32 AM
re: Anonymous Builds New Haven For Stolen Data
anti-privacy slant : you focused your article on the doxing purpose of such a tool, while this is only 1 possible side of the story. Would you present knives as mean machines designed to pierce hearts and cut throats ? Because this is exactly what you're doing here with ZeroBin and AnonPaste. You absolutely focus on the potential harm (or "arguable harm according to administrations who like their offenses to remain secret").

Vouching for Savage's software : His name's "Sauvage" not "Savage", and yes I support his tool as well as the guy. Your article brushes very quickly on the privacy side of things which is the core reason for Sauvage creating ZeroBin. When he release the first version of it, he mentioned clearly the reason. But you are sweeping everything under the rug in order to present YOUR truth, and how evil it is to not accept embedding a governmental camera in your butt 24/7 so that authorities can spy on you... oh wait ! I meant to say "so that authorities can make sure that you're not a terrorist, a pedophile, or maybe even worse... an anti-war or anti-corruption activist".

And BTW you did not answer my remark about privacy being trampled for the past 10 years. Do you deny it? Or are you not aware of it? if that is the case, you don't belong in the tech news industry. But if you spin the reality along the lines of authority's claims, well... for the sake of politeness, let's just say it would be bad. And you not mentioning this aspect of things in an article covering a ZeroBin installation is already lame (or politically oriented).

Sauvage's software hasn't been stress-tested ? Of course not ! it is a brand new thing and you should know that if you had read Sauvage's website. But have you read ANYTHING beyond Sauvage's CV on his website, despite how irrelevant that may be compared to technical aspects ? Have you cared to look at how it works and why it provides privacy ? It provides privacy because the server doesn't know what the data is about. All encryption happens within the browser. And if you don't trust it, it is all javascript... meaning it is on your computer and you can read the code.
User Rank: Apprentice
4/20/2012 | 12:45:22 PM
re: Anonymous Builds New Haven For Stolen Data
Bhunji, not sure where you're finding the anti-privacy slant. So, are you vouching for Savage's software? Some Anonymous participants have seized on -- in your words -- a two-week-old tool to handle submissions in a way that they say will maintain anonymity. Given the tool's immaturity, it's obviously not been stress-tested for these types of scenarios, and what's to say it can't be surreptitiously subverted? Why should it be trusted (yet) to provide privacy?
User Rank: Apprentice
4/20/2012 | 8:37:35 AM
re: Anonymous Builds New Haven For Stolen Data
This article is a joke and so is its author. So you've been checking Sebastien Sauvage's CV but you did not care to read what he wrote about ZeroBin, even though this piece of software has been created (and therefore commented upon) barely 2 weeks ago ? So you go to ridiculous lengths to assume that the beta status of the software is due to whichever reason your cognitive dissonance is gonna make up so as to fit the White House's propaganda ? Go read what Seb Sauvage freaking wrote about it !!! FFS, it's all on his website ! But no ! Obviously you, Matthew, enjoy gargling Obama's balls.

And you'll spread the word how Anonymous are evil, and how ZeroBin is made for evil H4x0r when you seem to ignore how privacy (you heard about it, right? you know that regular normal non-hacking people used to have a right to privacy?) has been beaten to a pulp for the past 10 years online and offline ?

You're a moron and sellout, Matthew !
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/20/2012 | 2:06:48 AM
re: Anonymous Builds New Haven For Stolen Data
Anyone who honestly believes that these anonymous systems don't collect data about where the submissions come from should really consider buying this bridge that I have for sale in Brooklyn.

Once information it digitized, it can be tracked if it is transmitted. Period, end of story. And honestly, perhaps the software was designed in a way as to not track where submissions come from, but anyone looking at the logs of the server that the software runs on and/or the logs of an upstream router will be able to figure all of that out.

Andrew Hornback
InformationWeek Contributor
Disappearing Act: Dark Reading Caption Contest Winners
Marilyn Cohodas, Community Editor, Dark Reading,  3/12/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.