
Skype blog hacked - tazer
http://blogs.skype.com/2014/01/01/hacked-by-syrian-electronic-army-stop-spying/
======
xSwag
This blog is not hosted by the Skype but on WordPress VIP. This means that,
most likely, the blog was not broken into using a software exploit of any sort
since the security on VIP blogs is professional. Knowing that this is the
Syrian Army, this attack was most likely done using phished credentials.

If they had any sort of system access they would have defaced the entire
subdomain or the main site. So most likely, this is nothing to worry about.
Your account data most likely still in safe hands.

~~~
t0
You're right. It was probably a brute force since they don't have maximum
login attempts. [http://blogs.skype.com/wp-admin](http://blogs.skype.com/wp-
admin)

~~~
elwell
Such a simple feature to implement...

~~~
devinegan
It does appear to be a brute force or phishing attack. These sort of drive-bys
can typically be permanently stopped with 2FA or a password-less MFA solution
like LaunchKey (Disclaimer: co-founder). LaunchKey has a free WordPress Plugin
available, among others:
[http://wordpress.org/plugins/launchkey/](http://wordpress.org/plugins/launchkey/)

It is 2014, you better prepare a good PR response for when you get breached OR
start implementing stronger authentication ASAP.

------
yeukhon
Here is the screenshot of the blog hacked.
[http://imgur.com/RGeTFWV](http://imgur.com/RGeTFWV)

So it looks like Skype doesn't host on its own server. It looks like this is
wordpress.com but with custom domain?

curl [http://blogs.skype.com](http://blogs.skype.com) -v

< X-hacker: If you're reading this, you should visit automattic.com/jobs and
apply to join the fun, mention this header.

 __EDIT __Okay it is

New to wpscan. When it says plugins found are these the vulnerable plugins
wordpress.com running?

[https://gist.github.com/yeukhon/8211580](https://gist.github.com/yeukhon/8211580)

And I found the username 7 pretty interesting.... wonder if I am actually
doing the ethical thing here :(

~~~
xsNzgw8
You will find those usernames whenever you scan wordpress.com with wpscan.

~~~
yeukhon
Wow you are right about that.

just did it on another blog.wordpress.com. How come? On Skype's blog I can
access /author/7 or /author/ian but I can't do it on another blog, I get
"Oops".

~~~
xsNzgw8
I think they are trying ?author=1, ?author=2, etc

------
xsNzgw8
Snapshot archive (if they fix the page):
[http://mraka.eu/snapshot/v/blogs.skype.com](http://mraka.eu/snapshot/v/blogs.skype.com)

Direct link to the snapshot of the hacked site:
[http://mraka.eu/snapshot/img/2014/01/01/e0d8888c73483275afea...](http://mraka.eu/snapshot/img/2014/01/01/e0d8888c73483275afea3ba8e007adaf.png)

Snapshot archive of twitter account:
[http://mraka.eu/snapshot/v/twitter.com](http://mraka.eu/snapshot/v/twitter.com)

Direct link to the first tweet snapshot:
[http://mraka.eu/snapshot/img/2014/01/01/1d6269aa8371ce676587...](http://mraka.eu/snapshot/img/2014/01/01/1d6269aa8371ce67658770d5d703e2d9.png)

Direct link to the first retweet snapshot:
[http://mraka.eu/snapshot/img/2014/01/01/a0f4c0947281bb0fb19d...](http://mraka.eu/snapshot/img/2014/01/01/a0f4c0947281bb0fb19dce9a1a74b750.png)

------
wahnfrieden
The Twitter account has also been compromised at the same time:
[https://news.ycombinator.com/item?id=6996899](https://news.ycombinator.com/item?id=6996899)

~~~
seivan
[http://twitter.com/Skype/status/418495453471068161](http://twitter.com/Skype/status/418495453471068161)

~~~
Nux
Sounds legit. :-)

------
rev087
There is also a second post from the same - apparently compromised - author:
[http://blogs.skype.com/2014/01/01/dont-use-microsoft-
emails-...](http://blogs.skype.com/2014/01/01/dont-use-microsoft-emails-
hotmailoutlook-they-are-monitoring-your-accounts-and-selling-the-data-to-the-
governments/)

------
ollysb
>> Hacked by Syrian Electronic Army.. Stop spying!

Seems a strange message to send to a country that spies on it's own citizens
(and where apparently the citizens are unable to prevent their own government
from doing it to them).

~~~
X4
Indeed and they buy german spying technology products. However I think the
logical fallacy you've stepped in is that the Syrian Electronic Army (SEA)
doesn't want to get spied on themselves by Skype and Microsoft, maybe. haha :)

But I fully support the message here, I think that spying inside of consumer
products is a sign of the abuse of power and monopoly.

------
t0
More than likely a guessed admin password.

------
lelandbatey
Here's a screenshot of the blog, in case it get's fixed:

[http://puu.sh/65TRe.png](http://puu.sh/65TRe.png)

------
coffeecheque
Its Twitter account was also hacked and a message posted, but it appears to
have been deleted.

Screenshot here:
[https://twitter.com/MikeElgan/status/418482819611230208](https://twitter.com/MikeElgan/status/418482819611230208)

~~~
ehPReth
Looks to be one of those auto posters (i.e. content posted on the blog is
automatically pushed out to twitter, facebook, others)

~~~
ihatehandles
I thought so as well, until
[https://twitter.com/Skype/statuses/4184954534710681](https://twitter.com/Skype/statuses/4184954534710681)

~~~
ehPReth
Ahh, I see. Interesting!

------
ihatehandles
Gotta wonder what's running through non-techie Skypers when they see the
tweets
([https://twitter.com/Skype/status/418495453471068161](https://twitter.com/Skype/status/418495453471068161))
and all :D

------
romanovcode
I'm not sure why the accent on "Stop using MS, it's spying on you!" is on MS.
AFAIK __every __company is using your data and giving /selling it to the
government.

How is MS more evil than anyone else?

~~~
RyanZAG
If someone drowns 4 kittens and you only drown 1 kitten, you're still pretty
evil. I don't see how "everyone else is doing it" is possibly a valid
argument. Obviously 'evil' in this case is based on your definition though,
it's not exactly a universal concept.

~~~
diminoten
What if a cop held a gun to your head and told you to drown those kittens?

------
tsurantino
They also hacked their Facebook page.

------
mrkris
I don't consider getting access to a website via the most insecure blogging
platform on the internet "hacking".

~~~
jblz
Not sure why you say that. WordPress.com offers 2-Factor Auth:

[http://en.support.wordpress.com/security/two-step-
authentica...](http://en.support.wordpress.com/security/two-step-
authentication/)

There are also tons of available security plugins & pretty extensive
documentation on hardening a self-hosted install:

[http://wordpress.org/plugins/tags/security](http://wordpress.org/plugins/tags/security)
[http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)

~~~
X4
Hardening Wordpress. That made me speechless…………

But hey, what do I know? ¯\\_(ツ)_/¯ Only the tip of the iceberg. Some men
believe.

[https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=wordpress](https://cve.mitre.org/cgi-
bin/cvekey.cgi?keyword=wordpress)

~~~
krapp
How much of what's on that list actually applies to a recent version of
Wordpress?

~~~
X4
_> > to a recent version of Wordpress_

Saying recent here isn't logical, because after patching the incident, it's
not an incident anymore. But I guess you mean how secure you are with a recent
version of Wordpress. I think this is though question, because Wordpress
relies to a high degree on external components and plugins. There is probably
no single pure Wordpress Blog, because the original Wordpress archive already
relies heavily on external dependencies. That's where many of the issues were
found as correctly pointed out by wyck. However this reliance on external
code, without a Wordpress team or at least a software that is evaluating the
code-quality or any other metric, you can't be secure. Yeah we can argue with:
_" But Wordpress is n-times more popular than X."_ However it still makes WP
very vulnerable to attacks. I've cleaned and recovered some hacked commercial
wp blogs and shops myself (not installed by me, but the previous dev). So
whatever you believe in WP may be, just get over it. There are so many other
opensource alternatives that wait for you to be tried out.

~~~
krapp
Show me an alternative that I can sell to a non-technically minded client with
a small business who just wants to blog and put up a youtube feed and do
e-commerce and maybe SEO. And oh, they can't ever even know what a terminal
is, much less git.

~~~
X4
Try [http://getkirby.com](http://getkirby.com) or
[http://concrete5.org](http://concrete5.org) or
[http://silverstripe.org](http://silverstripe.org) there are many many other
CMS or Blogging platforms too. For just Blogging as the main thing, you're
perfectly set with [https://ghost.org/](https://ghost.org/)

Without exaggerating, I've downloaded almost any CMS on Github and Bitbucket
and Sourceforge and I'm almost done with testing all of them. I think about 15
remain. With all honesty, I cannot say that I'm impressed with any CMS so far.
There is just one thing that stood out, with it's concept, but it's still only
Alpha grade quality, that's: [http://parsimony.mobi/](http://parsimony.mobi/)

I've you're curious what I ended up with, just ping me and I'll share my
results, after I've really compared all CMS with each other. Currently I would
say that there are about ~10 good quality CMS, with hundreds of miserably
coded ones. That is a good benchmark, for how good developers are in the real
world, I mean there is only so much space at the top of the iceberg. Not
everybody can excel with every project they start (well, except people like
Fabrice Bellard)

 _I 've not compared Typo3, Alfresco and other Enterprise CMS, because even
when they come with all features loaded, they suck at code complexity and user
friendliness_

You can't tell me that Wordpress is the only blogging platform that fits to
all of your requirements, because there are thousands of CMS out there and
you'll spend weeks testing all of them.

~~~
krapp
I'm not actually a Wordpress fanboy by any means (though it does pay the
bills) - for my own personal use i'm setting my site up in Slim Framework.
Professionally, though, i've found that if someone wants to blog or do
"e-commerce", talking them out of Wordpress (and into something they're still
willing to pay for) is a difficult thing to do.

