The Risk of a Categorical Denial - The MilitarySingles.com hack
The first I read on the alleged MilitarySingles.com hack was this:
With the usual link to pastebin for more details. So far a simple hack story. Nothing to see here. Time to move on.
But then the same story came up at The Office of Inadequate Security, along with a denial by the company that runs MilitarySingles.com. The denial reads:
“After a thorough investigation by our company programmers, it is our conclusion that our database was not hacked and that the claims of the Lulzsec group are completely false. Here are a couple points to note:
1. The total number of users in our database does not even closely match the number they have claimed to have exposed.
2. All user passwords in our database are encrypted and secure.
3. The location of the file the above user posted is in a repository directory on our website for user’s photos. The above user simply uploaded a photo of the Lulzsec group and does not mean in any way whatsoever that they were successful in actually hacking our service.
4. MilitarySingles.com was down for a few hours on March 25th due to regularly scheduled maintenance, not due to any outside activity.
We have taken measure to confirm our website and it’s database is secure and safe for our members, and will continue to do so. We are unable to confirm that the so-called checklist of email addresses have actually come from our user database.”
Sounds like a pretty comprehensive and categorical denial.
This was followed by:
Now things are looking interesting. Hackers claim to have hacked a website and downloaded everything; the company that runs it claims that they didn’t.
So Were They Hacked?
A quick look at the files (which, since the company wasn’t hacked, presumably aren’t theirs) reveals:
- A file MilitaryDatabase.rar which is a compressed SQL file containing a 500MB dump of a database. It contains an administrator password (in clear and hashed), recent chat sessions, user profiles, email addresses, and hashed passwords. The chat sessions often make references to US military deployments and bases.
- A file Military.rar which is a compressed 57 MB text file containing user email addresses, names, and hashed passwords. There are 170,937 records.
The IQ Security Blog has analyzed the database dump. It contained the unsalted MD5 hashes of user passwords. This makes them particularly easy to crack, because it’s possible to pre-compute the hashes of common passwords. IQ Security report that they managed to crack 151,972 of the 163,792 password hashes in just 9 hours.
“It Never Happened”
I guess we can all breath a big sigh of relief that the breach never happened, because, as MilitarySingles.com’s FaceBook page read on April 1st.
It’s still possible LulzSec hackers had an extreme case of obsessive-compulsive disorder and put together 570MB of fabricated data in some form of elaborate April Fool’s joke.
The Problem of Denial
What will happen if the hackers were correct?
That’s the problem with a categorical denial like the one above. It’s a rookie PR mistake. You do well if you are right, but you are damned if you are wrong.
A better approach might have been to use a non-denial denial, as popularized by Woodward and Bernstein in their book on the Watergate Scandal, “All The President’s Men“. Say you don’t have any evidence yet. Say that LulzSec are known to issue misleading statements designed to mislead and confuse. Recommend everyone change their passwords as a precaution.
But don’t issue what sounds like a categorical denial and then go silent as conflicting evidence mounts. Who is going to believe or trust you now?
As it is, it’s going to be quite interesting to see how this one plays out.
Michael Z. Bell