Saturday, August 12, 2017

Red Ice hacked

This is not surprising. Castalia House has been under continuous assault since the day we came out in support of GamerGate almost two years ago:
Henrik Palmgren  🐗‏ @Henrik_Palmgren   #TANGODOWN #HACKED @YourAnonNews @IGD_News Fuck all you nazi scum!!!!!

Henrik Palmgren  🐗‏ @Henrik_Palmgren
Replying to @Henrik_Palmgren @YourAnonNews @IGD_News
Red Ice TV is #TangoDown All servers/backups wiped. 23,000 member database stolen. MAJOR DOX INCOMING!!! @NYCAntifa @YourAnonNews @IGD_News
If you're Alt-Right, or even Alt-Lite, better get in the habit of practicing proper operational security. 16-digit randomized passwords on everything, different passwords for everything, and so forth. I doubt this is an accident given that it is just one day after Lana Loktoff was featured in a Harper's piece on the women of the Alt-Right.

It looks like both their Twitter account and their main site was hacked, which suggests the same password was used for both.

Labels: , ,


Blogger Gifford Pinchot August 12, 2017 12:46 PM  

This is disastrous, but will they dox all the customers? Do they want to make committed nationalists out of all those listeners?

Blogger Zundfolge August 12, 2017 12:51 PM  

"If you're Alt-Right, or even Alt-Lite, better get in the habit of practicing proper operational security. 16-digit randomized passwords on everything, different passwords for everything, and so forth."

I recommend LastPass which makes using multiple 16-digit different passwords much easier.

I think I need to invest in a good proxy too.

Blogger BastionHarm August 12, 2017 12:58 PM  

Also note that was taken down yesterday by a DoS attack (they just came back online). Interesting timing, no?

Anonymous Difster August 12, 2017 12:58 PM  

A password strategy I published on my blog years ago.

Most people have a terrible password strategy; it consists of one password used for every type of account. It's usually either something easy to remember or uses one of those crazy letter substitution schemes.

If you follow this advice, it will keep your stuff more secure.

1. Wherever possible, use a "pass phrase" rather than a password. A long pass phrase such as "we wish you a merry christmas" is much harder for a computer to crack than, "p@ssw0rd1" for example. The theory behind this is that machines can easily crack words using letter substitution so using symbols in place of letters is no help. However, a pass phrase with a minimum of 12 characters takes a LOT longer for computer to crack. In my example of a pass phrase above, it's a 28 letter password (including spaces). Do you have any idea what kind of resources would have to be thrown to decrypt a password that length? Also, a pass phrase is easier to remember than a cryptic, but shorter password.

2. Use a different pass phrase for each banking or financial account. Even if there are only slight differences, protect your most important asset. Databases can get cracked. Sometimes when this happens, the passwords are also discovered. You don't want one database being cracked to result in all of your accounts being drained. If you use one of those RSA tokens to access your account you probably don't have to worry about this so much, but still use a good pass phrase.

3. Account levels. You don't need a million different passwords, but having a couple of account levels is definitely appropriate. The levels should resemble the following:
*Financial - we already discussed this
*Communications - social networking, email
*Shopping and memberships - Amazon, iTunes, Netflix.
*Casual - Pretty much everything else that is non-critical

So we're talking about 4 different pass phrases to remember. The don't need to be totally different but don't make the difference obvious. Remember, 12 characters MINIMUM.

One other point of note, some stupid sites require you to use capitalization and at least one number and one symbol. In that case, come up with a standard combination and stick to a pass phrase. "we wish you a merry christmas D8$" would take care of most requirements. And if any site that is not in the "casual" category restricts you to using less than 12 characters, you should consider using some other service.

Anonymous Walter Oleg August 12, 2017 1:00 PM  

THe alt-right rally went bad as the city used the police to attack the alt-right. I guess this is an SJW converged town?

Anonymous Man of the Atom August 12, 2017 1:06 PM  

Steve Gibson on "Password Haystacks".

Blogger cprogrammingfanatic August 12, 2017 1:15 PM  

The guy who hacked Red Ice should be arrested and tried for treason.

Blogger Stg58/Animal Mother August 12, 2017 1:21 PM  

Walter Oleg,

Charlottesville is totally converged, and Gov. McAuliffe is one of Hillary's top operatives. How did he get to be governor? A fake Libertarian candidate. Libertarians are dumb too. The Republican candidate was a NeverTrump zealot though, so pick your poison.

Anonymous RevDanTheMan August 12, 2017 1:22 PM  

Great funny video on how to be "100% Hack Proof"... by "Grade A Under A"... he does swear in the video so beware...

Blogger Midnight Avenue J August 12, 2017 1:22 PM  

I remember the registration tags of every car I've ever had, and use those combos plus non consecutive number strings and symbols, along with caps at certain points. Good or bad strategy?

Blogger Bodo Staron August 12, 2017 1:23 PM  

Lastpass was breached in 2015. In 2016 again.
I would not use it.

Keepass is free and good. Has a password generator built in. Use it.

Roboform free is also good, it keeps the passwords on your PC only.

Use diff passwords for every service. Use two factor auth whenever possible.

Anonymous Anonymous August 12, 2017 1:46 PM  

A long pass phrase such as "we wish you a merry christmas" is much harder for a computer to crack...

Popular pass phrases are in cracking dictionaries and will be exhausted before brute force begins. You don't want to go with song lyrics and quotable quotes. "Luke, I am your father." is a horrible password despite its length and use of symbols, upper case, and not even being the correct quote.

Blogger Avalanche August 12, 2017 1:47 PM  

@11 "Keepass is free and good."

LOVE Keepass! Been using it for years. Once a year I change the main password; four times a year I let Keepass 'create' a new (28-letter / number/ character password for all my important (banking and biz and email) accts; twice a year I change the shopping ones -- and I also NEVER let (most of) the stores "store" my credit card numbers and password! (Some do it without asking. {frown}) (It does NOT take long to copy-and-paste out of Keepass!)

For sites (esp. banks!) that ask for idiot info (mother's maiden name or the city of my birth, fer cryin' out loud! -- 'cause there is NO genealogy on the web, eh?!) I use something ELSE! Keepass lets me keep all that info well protected... and at my fingertips!

Blogger tz August 12, 2017 2:09 PM  

Even more alarming it says all the backups were wiped. What happened to offline, multiple media, and geographical locations?
Maybe I have to do a crypto think to merge ECC with blockchain tech to make an undeletable and distributed version.

Blogger JaimeInTexas August 12, 2017 2:16 PM  

Anothrr password trick is to have a formula to create a password gor a given account. A phrase with something personal combined with a feature of the account. Remember how to construct a phrase and never have to memorize a password.

Blogger Robert Browning August 12, 2017 2:23 PM  

You gotta wake up, the government hate white people and wants us all dead.

Anonymous kjj August 12, 2017 2:43 PM  

The only safe thing to do is to use unique long passwords randomly generated from a physical entropy source.

Passphrases are good too, but how many can you remember? They must be unique for each account, which means you need to store them. 16 characters of random has about the same entropy as a passphrase, so there isn't much to gain there. Might as well store the random, less to type later.

You are allowed to make an exception and re-use passwords only in circumstances where you are in full control of the server and know that they are being handled properly. Your bank may be storing a salted, hardened hash, but do you really know? If not, don't trust it - use unique passwords.

Having a system to create a unique-looking password for each account using something about that account is probably not a good idea. This is safe against hash-based attacks where the original password isn't recovered, but if some site has shitty password handling practices and someone grabs a backup table with your password in plaintext, they can probably figure out all of your other passwords.

Often overlooked is the back door password recovery via email. Don't use a SJW-owned mail service as the email account that can reset all of your other passwords. If at all possible, don't let anyone but yourself own the mail server that can reset all of your accounts.

There are good and bad password storage/encryption programs out there. If you use one, check up on it. If you don't use one, you should. Writing them on paper is fine when you don't expect to be arrested, mugged, etc. Keep it in your wallet where you'll know if you lose it, or in a physically secure location.

Also, regarding backups: if you can delete it with a typo, or if an attacker can wipe it without breaking down a door - it isn't a backup. A real backup is offline and ideally in a physically different location. Have at least two, and never let both of the backups be online at the same time (and ideally not in the same location at the same time).

Anonymous Ain August 12, 2017 3:02 PM  

"For sites (esp. banks!) that ask for idiot info (mother's maiden name or the city of my birth, fer cryin' out loud! -- 'cause there is NO genealogy on the web, eh?!) I use something ELSE! Keepass lets me keep all that info well protected... and at my fingertips!"

The question is irrelevant, it's just another password/phrase field.

Anonymous Bachmusicgal August 12, 2017 3:07 PM  

A friend of mine who introduced me to Red Ice, said she was concerned because she gave money to them via PayPal (which is linked to her email and address). She's not a member apparently, but did give money. I wonder if she should be concerned.

Blogger SouthRon August 12, 2017 3:22 PM  

If you store your Keepass file on Dropbox/OneDrive/Box/Mega/whatever it can be accessed from your PC, Mac, IOS, or Android devices and all encryption and decryption happens locally. The file is stored on whatever service with multiple rounds of encryption applied.

Some time I need to get around to creating clients with a better interface and on-screen randomized keyboard for to avoid keyloggers harvesting the master passphrase.

Anonymous Corrox August 12, 2017 3:36 PM  

In addition to Red Ice the Nordic Resistance Movement got their webshop hacked recently. Since both they and Red Ice are Sweden based I suspect a quasi-governmental hacking collective known as Researchgruppen (The Research Group) that grew out of Antifa anti-nationalist doxing operations and has no graduated to become a private company collecting court documents and data dumps for mainly the media. The same group have done similar things several times in the past, doxing several nationalists with poor security habits and trying to get the member database of the largest free speech site in Scandinavia

The NRM-people seem to have similarly poor grasp of security as Red Ice. In their press release they state that they only think a small segment of customers were affected. Seemingly not realizing that it is impossible to know any upper limit to the degree of how compromised they were and not realizing they never should have been storing customer information like names and addresses in the first place.

It's not really surprising as both are small operations with no budget to pay for serious protection and not exactly known to attract the sort of people who are really good at IT/network security.

I think the lesson here is to assume that anyone not known to be competent is likely to both get compromised and to store doxing information about you.

Anonymous Corrox August 12, 2017 3:44 PM  

Oh, and there were apparently phishing emails purporting to be apologies from NMR sent to all the emails contained in their hacked database. So I'd be wary of clicking anything that looks to be from Red Ice without checking the links carefully beforehand.

Blogger Aeoli Pera August 12, 2017 3:47 PM  

Gifford Pinchot wrote:This is disastrous, but will they dox all the customers? Do they want to make committed nationalists out of all those listeners?

How do you pronounce "shibboleth"?

Blogger Snidely Whiplash August 12, 2017 3:50 PM  

Bachmusicgal wrote:I wonder if she should be concerned.
Almost certainly not. The site that uses paypal doesn't ever even see the credit card or bank account number. (unless they are doing something very fishy that will get their account suspended).

Anonymous Bachmusicgal August 12, 2017 3:56 PM  

Snidely, thank you--she's terrified now. My assumption had always been, that was the point of paypal. But will they see her name/address or email address? I don't know all the technical details of a hacking. She sent them money via her paypal account, which has her correct email and home address.

Blogger Snidely Whiplash August 12, 2017 4:41 PM  

Paypal handles all the details of the transaction, but sends the name and address along to the site for shipping purposes.
So potentially, he name and address could be compromised. But honestly, they [probably already are. Most people have their name in the phonebook.

Blogger Elocutioner August 12, 2017 5:02 PM  

Has anybody used They claim they create fake/burner credit card accounts to proxy real accounts.

Anonymous Bellator Mortalis August 12, 2017 8:22 PM  

Pass phrase is best, but as mentioned don't use a common phrase. The following is an example of how to create a good set of pass phrases:
First identify key to differentiate phrases, for example: F = financial, P = purchases, S = social, etc. So then:
Financial = "Z%1 I have a big Fuggly rabbit"
Social = "Z%1 I have a big Stupid rabbit"
Purchasing = "Z%1 I have a big Purple rabbit"

These are long, can't be guessed (especially since you don't actually have a rabbit), and cover the stupid capitalization, numeric, and non-alphanumeric requirements. Plus easy to remember because they are all the same, EXCEPT they vary by one word which relates to the category of the pass phrase.

And as computing power ability to crunch pass phrases increase, just increase the length, e.g. "Z%1 I have a big Stupid rabbit that eats oats in October". This approach should cover you for the next 20 years or so.

Blogger Drew August 12, 2017 8:51 PM  

This comment has been removed by the author.

Blogger Drew August 12, 2017 8:52 PM  

I think I need to invest in a good proxy too.
@2 Nord is a great VPN provider. It is end-to-end encrypted and will automatically proxy all your web traffic.
Best part is that they are a Panama company, so they do not keep any logs of your activity. Even with a government subpoena, they won't be able to track you.

Anonymous Killua August 12, 2017 11:49 PM  

Damn, I use very similar passwords for everything. Isn't google supposed to protect your accounts?

I used to be careless with passwords. Now I realize cybersecurity is super important. In one of the companies I worked for, there was a phishing attempt, and it was a Fortune 500 one.

Blogger VD August 13, 2017 5:10 AM  

Damn, I use very similar passwords for everything. Isn't google supposed to protect your accounts?

You're kidding, right? No, they don't do anything special protect your accounts. Especially if they don't like you.

Blogger James Dixon August 13, 2017 10:27 AM  

Add yet another recommendation for KeePass. It also has the advantage that it's available for all the major platforms.

> Nord is a great VPN provider.

I've heard good things about them, yes. But the one I've seen most recommended is PrivateInternetAccess ( I haven't used any of them, but I'm considering it.

Blogger Unknown August 13, 2017 1:41 PM  

I've been using private internet access for a few months, seems decent (I'm not a IT guy, so keep that In mind). It works on your phone, they'll take a Walmart gift card as payment (use cash if you're truly paranoid). No problem so far.

Henrik released an update on the
situation, here it is:
RedIce hack update.

If you are doxxed, just tell your employer you are interested in kooky conspiracy theories or whatever.

Anonymous Cossack August 13, 2017 10:03 PM  

The FBI is behind the attacks on the alt right they have hacked all digital devices of dissenters, anyone to the right of Paul Ryan, they log all keystrokes and give a live feed of keystrokes to political enemies claiming that the alt right "threatened" them. A "threat" can consist of, "Boy, blacks sure do commit a lot of crime on BART." I'll prove this seemingly insane claim soon enough.

Anonymous Killua August 14, 2017 10:02 PM  

You're kidding, right?

Um, yeah, it was a joke. I meant to say I am totally hackproof -_-

Post a Comment

Rules of the blog

<< Home

Newer Posts Older Posts