Hacker News new | past | comments | ask | show | jobs | submit login

“Resecurity Inc., California-Based cybersecurity company”

timezone_string: Europe/Kiev

Admin IP address:, AS196740, Ukraine

Really piling on the confidence here.

This one's before the Forbes article:

Citrix Data Breach – Next is what to do next newsbeezer.com "resecurity" kiev ukraine from newsbeezer.com 19 hours ago · KIEV, UKRAINE – 2019/01/ 20: Citrix Systems software ... According to Security Company Resecurity, the attacks were ...


Here's the article's top image sub-text:

Citrix was hit by hackers in attacks that may have exposed large amounts of customer data. KIEV, UKRAINE – 2019/01/20: Citrix Systems software Company logo displayed on a smartphone. (Photo by Igor Golovniov / SOPA Images / LightRocket on Getty Images) Getty

The image is hosted by Forbes: https://thumbor.forbes.com/thumbor/600x315/https%3A%2F%2Fspe...

Why newsbreezer has an article dated an hour earlier in a Google search than the Forbes article which is hosting the image on both sites, and why it's coincidentally sub-texted with KIEV, UKRAINE, I can't explain...

Way too sloppy for a false flag operation. Probably just some shady company trying to make a buck.

Regardless, it would be irresponsible to trust their attribution claim, especially when no evidence has been presented.

I just did a search for `"resecurity" kiev ukraine` on Google and got some strange results showing news articles from well-known sites stating KIEV, UKRAINE in context with the article's top pic... I'm not sure how to explain that:

Why The Citrix Breach Matters -- And What To Do Next Forbes "resecurity" kiev ukraine from www.forbes.com 18 hours ago · KIEV, UKRAINE - 2019/01/20: Citrix Systems Software company logo seen ... According to security firm Resecurity, the attacks were perpetrated by ...



Nice find. It contains the e-mail address mr.archee@gmail.com

Which seems to belong to a russian guy: https://support.webasyst.ru/forum/4011/filtr-v-vide-select/

Must be a russian speaking Iranian ;-)

Unsecured directory listing of a common php cms that shows uploads, and one of them them is a full DB dump made with phpmyadmin. The only thing missing is execution rights in that directory.

This is either an insider joke or a jump back to 2004.

this is "wordpress-normal" - the funny/sad part is its the wordpress blog of a security company investigating a huge breach...

Unless this is actually not a security company investigating a huge breach.

I've never seen directory listing turned on as a normal part of WP install.

Well, its better to get some wordpress hacked, than it is to have a server onprem get pwned and used as a inadvertent bastion to your internal network.

phpmyadmin is apprx. the only thing i remember about making a website.

Nice. According to the wp_users table there are 3 users, all nearly exactly 1 year old (2018-03-03, 2018-03-05, 2018-03-17).What are the chances that's a coincidence?

Is there any risk you take by posting that?

That is a page that I doubt the author would have wanted to be public, and is not linked to from the home page or its descendants. Wasn't that the case against weev?

(IMO, if it is public, it should be legal to post to it, but whatever.)

Interesting question. Technically, it is public. The user didn’t break anything or use any nefarious techniques. The web server is configured to list directories which in concert with file permissions makes it public. Not sure how/if this might be analogous to “just because a door isn’t locked doesn’t mean you can go in”.

feels like there isnt even a door . . "just because its in my front yard doesnt mean youre allowed to walk in front of my house and look at it sitting there."

This argument is not much different than what the grandparent is referring to. weev was convicted of conspiracy to access a computer without authorization because he advised a guy who discovered a publicly available HTTP API hosted by AT&T that returned email addresses based on guessable ids. The conviction was overturned, but on procedural grounds, not legal ones.

Directory listing wasn't on on the AT&T server.

He accessed “public” URLs that he inferred the existence of but wasn’t supposed to access. So I guess if you can start at the homepage of this site and find a link to a directory, you’re OK.

It was linked from https://resecurity.com/wp-content/uploads/, which is a common and public URL, and anything uploaded there is intended to be public. Of course, whoever uploaded it either wasn't aware or didn't think it through--maybe they thought nobody would ever visit that page.

As you can see, the link is gone now.

This url is now showing a 404.

They took it down. What did it say?

It was an SQL dump of their entire database: https://archive.is/https://resecurity.com/wp-content/uploads...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact