Shostack + Friends Blog Archive


The Onion and Breach Disclosure

There’s an important and interesting new breach disclosure that came out yesterdau. It demonstrates leadership by clearly explaining what happened and offering up lessons learned.

In particular:

  • It shows the actual phishing emails
  • It talks about how the attackers persisted their takeover by sending a fake “reset your password” email (more on this below)
  • It shows the attacker IP address (
  • It offers up lessons learned

Unfortunately, it offers up some Onion-style ironic advice like “Make sure that your users are educated, and that they are suspicious of all links that ask them to log in.” I mean, “Local man carefully checks URLs before typing passwords.” Better advice would be to have bookmarks for the sites you need to log-in to, or to use a password manager that knows what site you’re on.

The reset your password email is also fascinating. (“The attacker used their access to a different, undiscovered compromised account to send a duplicate email which included a link to the phishing page disguised as a password-reset link. This dupe email was not sent to any member of the tech or IT teams, so it went undetected. “) It shows that the attackers were paying attention, and it allows us to test the idea that, ummm, local man checks URLs before typing passwords.

Of course, I shouldn’t be too harsh on them, since the disclosure was, in fact, by The Onion, who is now engaged in cyberwar with the Syrian Electronic Army. The advice they offer is of the sort that’s commonly offered up after a breach. With more breaches, we’ll see details like “they used that account to send the same email to more Onion staff at about 2:30 AM.” Do you really expect your staff to be diligently checking URLs when it’s 2:30 AM?

Whatever you think, you should read “How the Syrian Electronic Army Hacked The Onion,” and ask if your organization would do as well.

3 comments on "The Onion and Breach Disclosure"

  • Email scam has been going forever. Educating users is easier said then done. It’s a problem that has to be taken seriously.

  • anonymouse says:

    do you know if they released the images of the phishing pages used? How good of an attack was it?

  • Sorry to contact you this way – this is not a response – but I couldn’t find a contact address for you. I saw your blog listed in the Top 20 Security Blogs. Congratulations!

    I wondered if you wanted to try out the secure email we invented.

    It is the only non-fiddly encryption on the market. No software required at the other end, so software on the sender’s device, works on smart phones.

    If you wanted to have a look – and I hope you would – a free 30-day trial is on our website

    Thanks for reading.

    Kind regards,

Comments are closed.