Whistleblower-friendly site Cryptome booted briefly offline for hosting "malicious content"

Filed Under: Featured, Privacy

US whistleblower-friendly site Cryptome recently suffered a short outage, after it was booted offline by its ISP and then let back.

Unlike Wikileaks and former front-man Julian Assange, Cryptome and its founders have never vigorously sought the limelight, though the site's persistence and committment to free speech - it has been running since 1996 - cannot be doubted.

Cryptome describes its purpose fairly plainly as a repository for "material on freedom of expression, privacy, cryptology, dual-use technologies, national security, intelligence, and secret governance - open, secret and classified documents - but not limited to those."

In this case, a complainant using the name Sima Jiro asked Network Solutions, Cryptome's service provider, to look into an archive entitled jp-terrorist-files.zip, claiming that it "clearly" violated the company's terms of use.

Although Sima Jiro mentioned that the files included documents that were "probably classified or confidential," this didn't appear to be the chief reason for the complaint.

The main problem, suggested Sima Jiro, was that the questionable material also provided "lots of personal information, such as names, DOBs [dates of birth], family structures, workplaces, phone numbers," and thus that "[p]eople whose private information has been exposed are now in very deep worry."

And whether you're a serious freespeecher or not, it's hard to quibble with that sort of complaint.

Of course, the complaint could be made-up: there might, after all, be no-one on the list who is in any sort of worry at all, let alone deep worry, as claimed.

Nevertheless, PII (personally identifiable information) remains PII, regardless of the status of the person in the equation.

As a result, Cryptome was suspended by Network Solutions for hosting what the ISP referred to as malicious content.

The outage was brief, however, with Cryptome's connectivity restored less than an hour later.

The intriguing thing here is not the takedown itself, but the reason suggested, in the Network Solutions takedown boilerplate, as the most likely explanation for what happened:

This can be caused by code vulnerabilities in an existing content-management system (CMS) or other script that has been compromised. The most common cause is an outdated, hacked CMS such as Joomla, Drupal, or WordPress. To rectify this issue, you will need to secure your CMS. If your site is a CMS, you will need to update the code/script(s) via FTP. We will not enable web access for you to secure your compromised form(s) or site(s). If you can't update the site via FTP you will need to disable the site before we can lift any suspension, including removing ALL of the PHP content.

I imagine it is probably legally safer for an ISP to start off by giving its customers the benefit of the doubt, and blaming external hackers, than by openly accusing them of deliberately hosting malicious content.

(It also gracefully skirts the issue of whether the content really is malicious, or merely worthy of urgent investigation.)

But I also don't doubt the stated experience of Network Solutions, namely that an unpatched content management system is the most likely reason for dodgy or unwanted content to turn up on a site that users are complaining about.

Note also that simply "disabling" your site isn't enough for Network Solutions to let you back in to try to fix it: the ISP insists that you remove all PHP content first.

PHP is a server-side scripting language that is commonly used to rewrite web pages, or to build them on the fly, before sending them out to a visitor.

That means that HTML file templates that appear perfectly innocent on your server may end up actively dangerous by the time they set sail from your server in HTTP replies.

Of course, Network Solutions' advice to "remove all PHP" may not be as easy as it sounds.

You probably remember the recent case of a compromise in the official distribution of the OpenX ad-server software.

In that attack, rogue PHP scripts were disguised as JavaScript and then buried deeply and non-obviously inside an optional JavaScript component.

Why not take the Network Solutions takedown notice both as a warning and as advice for your own site?

Make sure you don't host anything unexpected and unwanted:

  • Patch early, patch often.
  • Consider using an anti-virus product to scan your content servers. (Yes, even if they are running Linux.)
  • Consider an outbound (or reverse) web proxy to scan served-up content on the way out.
  • Keep your eye on your PHP modules, and beware of rogue components.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog