Vulnerabilities / Threats
4/19/2012
12:25 PM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous Builds New Haven For Stolen Data

Saying Pastebin has censored its posts, Anonymous creates AnonPaste, a new site where hacktivists can dump stolen data.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)

Anonymous, together with a group known as the Peoples Liberation Front, Tuesday announced the immediate availability a new website for hacktivists to dump their stolen ("doxed") data.

Dubbed AnonPaste, the website has been created as an alternative to Pastebin and other websites that allow people to anonymously upload large amounts of text, the two groups said in a joint press release. Shared content can be set to expire after 10 minutes, an hour, a day, a month, a year, or never. In addition, the site promises to remain advertising-free and unmoderated, maintain no connection logs, and store only encrypted data.

The AnonPaste site says, "[The] server has zero knowledge of data being stored. Your data is safe even in case of server breach or seizure." But it cautions that in the event that a hacker manages to successfully install "crooked JavaScript" libraries, future pastes could be captured.

AnonPaste, which accepts donations via WePay and BitCoins, was built using the open source ZeroBin software, which doesn't record the IP addresses of uploaders. In addition, the software encrypts and decrypts all text in the browser--before uploading it--using 256-bit AES encryption. The software also automatically convert URLs into clickable links.

[ Anonymous members don't always cover their own tracks. See Anonymous Hackers Not Smart On Anonymity, Feds Say. ]

But should would-be submitters of anonymous information trust the software on which AnonPaste is based? ZeroBin was created by, and is hosted on the personal website of, Sebastien Sauvage, a French developer with experience in developing online payment and authentication systems for French banks, which suggests he brings relevant knowledge to bear. Likewise, the software's tagline--"Because ignorance is bliss"--suggests that the software has been purpose-built to keep anonymous submissions anonymous.

But the ZeroBin software itself comes with numerous cautions: it's a "test service" and data may be deleted at the administrator's discretion. The ZeroBin site also warns, "Kittens will die if you abuse this service." That suggests that the server software hasn't been stress-tested against--or possibly, built to resist--the types of distributed denial-of-service attacks to which sites like Pastebin have been subjected.

Why the need for a new Pastebin? In part because Pastebin hasn't warmly embraced hacktivists who use it as a dox dumping ground. In fact, the site was created by Paul Dixon back in 2002 as a place for programmers to share snippets of source code. After 20,000 Hotmail account credentials were leaked via a Pastebin post in 2009, Dixon temporarily took the site offline while he added modifications to help prevent such data dumps.

Regardless, after the site was sold to Dutch entrepreneur and programmer Jeroen Vader in 2010, Pastebin became the go-to site for LulzSec to release dox or brag about attacks. By the middle of 2011, the site was recording its highest levels of traffic ever.

At the time, Vader told Social Media that the site had put a system in place to deal with takedown requests over sensitive data that ends up on the site, and said the site "always complies with requests from authorities."

But earlier this month, Vader apparently triggered hacktivists' ire with comments he made to the BBC when discussing the 1,200 daily abuse reports the site receives, requesting that specific posts be erased. "I am looking to hire some extra people soon to monitor more of the website's content, not just the items that are reported," Vader told the BBC. He also noted that the site, which records the IP address of every uploader, tends to comply with requests from authorities for that IP information, provided they have a proper court order.

Vader's revelations led to a backlash from the Anonymous set, which took to Twitter to accuse him of practicing censorship. Many also began promoting alternatives to Pastebin for would-be document dumpers.

Interestingly, AnonPaste wasn't the only Anonymous version of a popular service to debut this month. Another service being talked up by Anonymous fans has been TalkOpen, which offers itself as an alternative to Twitter that will never share users' information with outsiders. The site runs on StatusNet, which is free, open source "microblogging" software that offers a Twitter-like, stream-oriented interface.

But the service offers some non-Twitter-like promises. "This service will NOT comply with court orders to turn over your private information," states the TalkOpen FAQ. "We aim to run a secure yet private service, and doing this would defeat the purpose of TalkOpen. In cases regarding child pornography or murder however, we will comply."

Of course, talk is cheap when it comes to promising to keep customers anonymous at all costs, since in the event of a court order, the site's administrators might be forced to share information with authorities or risk imprisonment, not to mention seeing their site forced offline. A whois lookup of the "TalkOpen" domain name reveals that the server running the site is hosted in France, by French ISP Ovh Systems. Notably, its terms of service state that it can discontinue service for any customer that doesn't comply with its code of conduct, which requires customers to abide by all applicable French laws and regulations, as well as the intellectual property rights of others.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bhunji
50%
50%
bhunji,
User Rank: Apprentice
4/21/2012 | 8:48:32 AM
re: Anonymous Builds New Haven For Stolen Data
anti-privacy slant : you focused your article on the doxing purpose of such a tool, while this is only 1 possible side of the story. Would you present knives as mean machines designed to pierce hearts and cut throats ? Because this is exactly what you're doing here with ZeroBin and AnonPaste. You absolutely focus on the potential harm (or "arguable harm according to administrations who like their offenses to remain secret").

Vouching for Savage's software : His name's "Sauvage" not "Savage", and yes I support his tool as well as the guy. Your article brushes very quickly on the privacy side of things which is the core reason for Sauvage creating ZeroBin. When he release the first version of it, he mentioned clearly the reason. But you are sweeping everything under the rug in order to present YOUR truth, and how evil it is to not accept embedding a governmental camera in your butt 24/7 so that authorities can spy on you... oh wait ! I meant to say "so that authorities can make sure that you're not a terrorist, a pedophile, or maybe even worse... an anti-war or anti-corruption activist".

And BTW you did not answer my remark about privacy being trampled for the past 10 years. Do you deny it? Or are you not aware of it? if that is the case, you don't belong in the tech news industry. But if you spin the reality along the lines of authority's claims, well... for the sake of politeness, let's just say it would be bad. And you not mentioning this aspect of things in an article covering a ZeroBin installation is already lame (or politically oriented).

Sauvage's software hasn't been stress-tested ? Of course not ! it is a brand new thing and you should know that if you had read Sauvage's website. But have you read ANYTHING beyond Sauvage's CV on his website, despite how irrelevant that may be compared to technical aspects ? Have you cared to look at how it works and why it provides privacy ? It provides privacy because the server doesn't know what the data is about. All encryption happens within the browser. And if you don't trust it, it is all javascript... meaning it is on your computer and you can read the code.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
4/20/2012 | 12:45:22 PM
re: Anonymous Builds New Haven For Stolen Data
Bhunji, not sure where you're finding the anti-privacy slant. So, are you vouching for Savage's software? Some Anonymous participants have seized on -- in your words -- a two-week-old tool to handle submissions in a way that they say will maintain anonymity. Given the tool's immaturity, it's obviously not been stress-tested for these types of scenarios, and what's to say it can't be surreptitiously subverted? Why should it be trusted (yet) to provide privacy?
bhunji
50%
50%
bhunji,
User Rank: Apprentice
4/20/2012 | 8:37:35 AM
re: Anonymous Builds New Haven For Stolen Data
This article is a joke and so is its author. So you've been checking Sebastien Sauvage's CV but you did not care to read what he wrote about ZeroBin, even though this piece of software has been created (and therefore commented upon) barely 2 weeks ago ? So you go to ridiculous lengths to assume that the beta status of the software is due to whichever reason your cognitive dissonance is gonna make up so as to fit the White House's propaganda ? Go read what Seb Sauvage freaking wrote about it !!! FFS, it's all on his website ! But no ! Obviously you, Matthew, enjoy gargling Obama's balls.

And you'll spread the word how Anonymous are evil, and how ZeroBin is made for evil H4x0r when you seem to ignore how privacy (you heard about it, right? you know that regular normal non-hacking people used to have a right to privacy?) has been beaten to a pulp for the past 10 years online and offline ?

You're a moron and sellout, Matthew !
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/20/2012 | 2:06:48 AM
re: Anonymous Builds New Haven For Stolen Data
Anyone who honestly believes that these anonymous systems don't collect data about where the submissions come from should really consider buying this bridge that I have for sale in Brooklyn.

Once information it digitized, it can be tracked if it is transmitted. Period, end of story. And honestly, perhaps the software was designed in a way as to not track where submissions come from, but anyone looking at the logs of the server that the software runs on and/or the logs of an upstream router will be able to figure all of that out.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio