Logo

87: Guild of the Grumpy Old Hackers

en-us

March 16, 2021

TLDR: In 2016, LinkedIn data was breached, and hackers Victor, Edwin, and Mattijs share their story on handling it.

1Ask AI
  • The Importance of Digital Security in the Age of Social MediaIt's crucial to prioritize digital security, even if you're a high-profile individual like a politician or celebrity. The advancements in technology mean that cyber threats are ever-evolving, so taking preventive measures is vital to protect personal information.

    Donald Trump relied heavily on Twitter as a form of communication during his presidency, but his Twitter account was hacked three times despite his claim that 'nobody gets hacked.' This highlights the importance of practicing good digital security, especially for high-profile individuals. Even someone like Sarah Palin had her Yahoo account hacked by a 20-year-old who found her personal information easily accessible online. It's important to take digital security seriously, regardless of one's position or wealth. As technology continues to advance, so do the methods of hacking and compromising online accounts. Everyone should take steps to protect themselves from digital threats and be aware of possible vulnerabilities.

  • The Grumpy Old Hackers: Ethical Hacking for a Safer InternetThe Grumpy Old Hackers are a group of ethical hackers who mentor younger generations and work with law enforcement programs to promote responsible hacking. Their mission is to make the internet a safer place.

    The disclosure of personal identifiable information or PII is a growing ethical concern. The hackers who call themselves the Grumpy Old Hackers, including Edwin, Matt, and Victor, have made it their mission to find vulnerabilities in computer systems and notify responsible parties to keep the internet a safer place. They do so by mentoring the younger generation of hackers and encouraging them to use their skills ethically. They also work with programs like Hack_Right, a Dutch law enforcement program that helps young offenders put their skills to use for ethical hacking. Edwin, who has been hacking from a young age, loves combining all the hackers together to do new things, which are mostly on the edge and exciting for him and his team.

  • The Importance of Ethical Responsibility in HackingEthical hacking requires a responsible approach, including disclosure to the entity involved and avoiding exploitation of data. Respect for privacy is important, even when testing security.

    Ethical hacking requires responsible disclosure to the concerned company or entity and does not involve selling or exploiting the data. Testing hacked passwords on other accounts may be considered wrong but the intention of ethical hackers is to help improve security. Bug bounty programs offer rewards for hacking and testing but not all entities have them. The Grumpy Old Hackers faced an ethical dilemma when they got access to the LinkedIn database from 2012 and explored what was there in their hotel room. A responsible and ethical approach is necessary while testing security; a violation of someone's privacy should not be excused under the guise of ethical hacking.

  • The LinkedIn Breach of 2016 and the Importance of Strong Passwords and Salting StrategiesChoose strong passwords with good hygiene and change them frequently. Employ password-salting strategies to make passwords harder to crack, and educate others on the dangers of credential stuffing.

    In 2016, LinkedIn suffered a breach where over 100 million credentials were stolen, including weak passwords like '123456', 'password', and 'LinkedIn'. Edwin, Jack, and Victor warned their acquaintances by informing them that their passwords from four years ago were visible and vulnerable. They taught them about credential stuffing which was not well-known at the time. LinkedIn didn't salt their passwords, making them easier to crack. As a result, over 60% of the passwords were cracked, making it easier for bad actors to access personal information. It is essential for users to choose strong passwords with good password hygiene, changing them frequently. Additionally, having password-salting strategies can make passwords more challenging to crack.

  • Trump's Password Hack Exposes Poor Security PracticesUsing easy-to-guess or reused passwords can expose personal data to cyber threats. Always use strong passwords for different accounts to prevent hackers.

    Donald Trump's LinkedIn password in 2012 was 'yourefired', which was also the catchphrase he used on his show 'The Apprentice'. The password was so obvious that the hackers were shocked. The Grumpy hackers wondered if he would reuse the same password for his other accounts, and they tried it for his Twitter account, and it worked. This exposed how poor Trump's password hygiene was. For a celebrity billionaire, using such an easy-to-guess password was a bad practice. The incident highlights how important it is to use strong passwords and not to reuse passwords for different accounts.

  • Hackers attempt to breach Trump's Twitter account and disclose their findings responsibly.Responsible disclosure is crucial in cybersecurity, but it requires successful exploitation to be effective. Hackers can use OSINT and SMTP enumeration to obtain valuable information related to a hack.

    The Grumpy Old Hackers attempted to hack Donald Trump's Twitter account from a hotel room in Belgium, testing his years-old password which was still valid. Realizing that they would be blamed if something went wrong, they decided to log in all the way and submit a responsible disclosure to Trump. To do this, they had to find the email address connected to his Twitter account and went through OSINT to figure out all the valid email addresses associated with Trump's domains. The hackers used SMTP enumeration to find the valid email addresses and bypass the last hurdle to make the report valuable for Donald Trump. Responsible disclosure only works if the hack actually works, and not warning somebody about their password and direct them.

  • Impact of Various Factors on CybersecurityHackers can easily bypass a system's security by exploiting vulnerable areas such as email validation, weak internet connection, and inadequate device security. It is essential to take necessary measures to prevent such attacks.

    Hackers can verify if an email is valid by using the VRFY command on SMTP enumeration. Metasploit can help to speed up the process by trying thousands of names and words. The rate limiter in this process is the internet connection. Twitter's security policy for logins considers the geographical region and the phone used for logging in. Mimicking these details and using an open HTTP proxy in the same region can help hackers log into social media accounts. Trump's old and insecure Android phone was also a security risk.

  • The Grumps Successfully Hack into Trump's Twitter Account and Take Responsible ActionCrossing the line of logging into someone's account without permission can be justified if done for the greater good and with responsible action taken afterwards. The Grumps teach young hackers the importance of having a good reason before doing so.

    The Grumps successfully hacked into Trump's Twitter account by figuring out his credentials and tricking Twitter. They had full access to his account but only took screenshots to prove their success. Their next responsible task was to document everything and write a comprehensive disclosure email to Trump, explaining the issue and suggesting preventative measures. The Grumps teach young hackers to have a good reason to cross the border of logging into someone's account without permission. Although accessing someone's account without permission is a grey area, the risk of someone else doing it and doing something unpleasant with the account justifies the Grumps' actions in this case.

  • The Importance of Cybersecurity for Public Figures and IndividualsUsing strong passwords and being vigilant in securing online accounts is crucial to avoid being hacked. Cybersecurity is a shared responsibility, and everyone needs to take proactive steps to protect their online presence.

    Using strong passwords and being vigilant in securing one's online accounts is crucial to avoid being hacked, especially for public figures like politicians. The Grumps discovered that the US president's vulnerable Twitter account had been hacked before, yet he continued to use the same weak password. The importance of cybersecurity cannot be overemphasized, and individuals and organizations need to take proactive steps to prevent unauthorized access to their accounts. The Grumps ultimately reached out to the Dutch National Cyber Security Center for assistance when their attempts to notify US agencies were unsuccessful. Cybersecurity is a shared responsibility, and everyone needs to play their part in protecting their online presence.

  • The Grumps report hack on Trump's Twitter account and influence security changes on social media platformVerified and influential accounts should have strict security measures in place to prevent misinformation and cyberattacks. Reporting cybercrime to authorities can lead to action and positive change.

    The Grumps managed to contact the Dutch government and reported the hack on Trump's Twitter account, which led to the US CERT taking action. They also suggested to Twitter that verified accounts need better security and Twitter responded by making password reset protection a default setting for election-related accounts. Influential accounts require stricter security as they have a large following and misinformation spread from these accounts should not be possible. While Twitter did not directly respond to the Trump hack or Victor's tweets, their actions suggest that they took heed of the suggestions given. Responding to disclosures of this level is common, even if the party taking action does not mention the notifier.

  • Importance of Online Security and Ethical Considerations in CybersecurityStrong passwords, two-factor authentication, and regularly changing passwords are crucial in securing accounts. Responsible reporting of vulnerabilities is critical. Both individuals and organizations need to prioritize online security.

    It's important to use strong passwords and enable two-factor authentication to protect accounts from hacking. It's commendable that the Grumpy Old Hackers helped secure a vulnerable Twitter account before the 2020 presidential election, but it's also important to consider the ethics of their actions. The LinkedIn breach in 2012 highlights the importance of regularly changing passwords and being vigilant about online security. The fact that Victor has made numerous responsible coordinated vulnerability disclosures underscores the importance of responsible reporting of security issues. Overall, organizations need to be proactive about improving their security measures to protect users and prevent cyber attacks, and individuals should take steps to protect their own online security.

Was this summary helpful?

Recent Episodes

90: Jenny

90: Jenny

Darknet Diaries

Jenny Radcliffe is a social engineer and physical penetration tester who shares stories from her experiences on various penetration testing jobs she's done.

April 13, 2021

89: Cybereason - Molerats in the Cloud

89: Cybereason - Molerats in the Cloud

Darknet Diaries

The Cybereason threat research team uncovered an interesting piece of malware and attributed it to a threat actor called Molerats. They believe Molerats was abusing cloud platforms in a Middle East espionage campaign.

April 06, 2021

88: Victor

88: Victor

Darknet Diaries

Victor identifies vulnerabilities on the web and reports them responsibly, continuing from previous episodes 86 and 87 in the discloser number 5780 story line.

March 30, 2021

86: The LinkedIn Incident

86: The LinkedIn Incident

Darknet Diaries

In 2012, LinkedIn was hacked and millions of user details stolen. Hacker sold username and password hashes to buyers.

March 02, 2021

Related Episodes

86: The LinkedIn Incident

86: The LinkedIn Incident

Darknet Diaries

In 2012, LinkedIn was hacked and millions of user details stolen. Hacker sold username and password hashes to buyers.

March 02, 2021

The Place Where You Get Answers From

The Place Where You Get Answers From

Hacked

Jordan Bloemen & Scott Francis Winder debate about Vastaamo's data breach and its implications when highly sensitive info was mishandled.

May 25, 2021

RIP REvil

RIP REvil

Hacked

Jordan Bloemen & Scott Francis Winder discuss REvil's departure and the rise of a new era for cyber diplomacy.

January 31, 2022

You Can't Publish Their Names

You Can't Publish Their Names

Hacked

The story of a very strange doxxing and an even stranger hacking gang. If you like the show and want to make sure we can keep making it, please subscribe, and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Learn more about your ad choices. Visit podcastchoices.com/adchoices

April 16, 2022

AI

Ask this episodeAI Anything

Darknet Diaries

Hi! You're chatting with Darknet Diaries AI.

I can answer your questions from this episode and play episode clips relevant to your question.

You can ask a direct question or get started with below questions -

Sign In to save message history