giovedì 5 gennaio 2012

Thorwed: a conversation with the hacker

Some days ago, I found that a governmental Italian site ( was hacked by an hacker named Thorwed. Thorwed owned the DB and then published all the usernames and passwords of the site (more than 9000 entries) on Pastebin. Since I work for a governmental CERT, I warned the people in charge of the security of this site and then, with the essential help of some friends, we sent an email to all the involved users asking them to change their passwords.

After few days, other two "events" occurred, the Joint Research Centre and the Rainews24 sites were hacked and, again, all data (usernames, passwords and emails) were published by Thorwed on Pastebin.

Same situation, same response. 

The day after all has finished, but I was very intrigued by the actions of this hacker so I decided to leave a message on Pastebin, asking Thorwed to contact me.

This evening I found on my blog and on Pastebin this message left by Thorwed:

"# Thorwed
# I apologize in advance

Hi Matteo, I am Thorwed.
Let me explain about: ( 
The first laid the basis of (, which contained (login; pass; mail) a day later it was modified,
where I wrote the reasons for their actions:
"... I am very sad to look at the large site with such childish errors that are fixed for a few minutes. 
This is especially true of government websites. In December, an error that could be eliminated within a few minutes was the diversion of 9000 + data. 
I think you ask why I showed the entire database? but if I showed only a mistake nobody would have noticed.
When I put a base on it turns out there was already an analogy only it contained the names of the tables.
( on October 10, ridiculous is not it? Nobody paid any attention to even and did not close the error." 
I think the reasons for these large and important sites such as Rainews24 and others are not worth explaining.
I just want to add, in a world very vulnerable state sites.
Oh yeah I forgot to say that I stopped and I was left with a list of vulnerable sites of domain zones (.,. and others), but they will not leak.
Goodbye. Yours faithfully. Thorwed ..."

First of all, I want to thank Thorwed to have accepted my invitation.

Secondly, I want write a public answer to the Thorwed's message:
"Thorwed, I remember that you had a Twitter account in which you wrote "Con la esperanza de hacerlo mejor...". 

Well, you do have the possibility to make it better... and this possibility is called "Responsible disclosure". 

I don't want to bother you giving a definition of what responsible disclosure is or highlighting the importance of a such approach.

I just want to say that, if your goal is the improvement of the websites security, particularly the governmental ones, just send me your findings privately, I can forward them to the right people and then publish your discovery on my blog.

This way, you can achieve your goals and obtain the deserved visibility without harming anyone.

Think about it. 

This makes the difference between an offence and a meritorious action.

Write me, this is my email address

Update to the post (January 13, 2012)

Some days ago Thorwed contacted me privately to submit some information regarding a couple of vulnerabilites found on many Italian sites. Most of these sites are registered by private citizens and companies but some of them are school websites within the "" domain.

In association with a friend, I performed some checks to verify the quality of these warnings then I sent a report to some of the owners of the vulnerable sites.

I want to publicly thank Thorwed for accepting my invitation to disclose this kind of  information more responsibly.

In the next few days I will verify, if at least the domain will be fixed.

Nessun commento:

Posta un commento