Monday, May 30, 2011

PBS, Sony, Fox Websites Hacked By LulzSec's Lulz Boat, AT&T Next?

A new group of web pirates is making itself known, as it sails the high seas of The Internet in search of what it describes on Twitter as #fun #fun #fun.

The Lulz Boat, or what the group really calls itself: LulzSec, has hacked into the websites of PBS, Sony, and Fox, in reverse order over the last two months - and AT&T appears to be next on their list.

The Sony Hacks

The series of Sony hacks (not just one), and reported to be the largest in Internet history, caused the Japanese icon to shut down its PlayStation servers for a month. And LulzSec left this tweet:

LOL @Sony, nice Japanese website dumbasses: http://pastebin.com/NyEFLbyX

Which leads to this message containing the Sony website pages that contains two links to Sony's database structure:

@LulzSec was here you sexy bastards!

This isn't a 1337 h4x0r, we just want to embarrass Sony some more. Can this be hack number 8? 7 and a half?!

Stupid Sony, so very stupid:

SQLi #1: http://www.sonymusic.co.jp/bv/cro-magnons/track.php?item=7419
SQLi #2: http://www.sonymusic.co.jp/bv/kadomatsu/item.php?id=30&item=4490

(two other databases hosted on this boxxy box, go for them if you want)

And LulzSec does it all with the interesting tagline "Laughing at your security since 2011!"

And that seems to be the point of their hacks: taking advantage of apparent and simple gaps in system design. The LulzSec refers to the "seven processes" in their Twitter account, as if they were the "seven seas" that pirates would sail on.

But by "seven processes," and linked to reference to their actions as being pirate boat attacks, then the "seven processes" seems to be the approaches they use to enter a website and database.

The SQL Injection Method

Generally, what LulzSec seems to be doing is using something called The SQL Injection Method.  What this is starts with the use of the "Structured Query Language," or SQL programming approach, like C, or HTML, or any other language, but that is used to create managing data in a website's database. The technique of "convince the application to run SQL code that was not intended," is described in detail at Steve Friedl's website at unixwiz.net, where he provides a way to "mitigate" against such approaches as the ones used by The LulzSec. You can see that with a click and scroll here: FIX.

Tupac and LulzSec Fame

The LulzSec group gained recent fame by hacking into the PBS website and posting a report that legendary rapper Tupac Shakur is "alive and well" in New Zealand, along with Biggie Smalls, aka The Notorious BIG.

Which is interesting, because history tells us of a feud between them that resulted in their deaths. But I digress.

Why PBS?

Reportedly, The LulzSec hacked into the PBS website because of the public television giant's Frontline programs on Wikileaks and Private Bradley Manning. But personally, I don't think that's the reason: LulzSec just did it because PBS was vulnerable. So, they hacked in, made up a reason for the action after it was successful, then turned their attention to Tupac and Biggie.

Think about it.  Why would a group announce it was going to hack into a website and state its motives before the action unless they had reason to believe they were going to be successful?

Bragging On Twitter

The programmers are particularly active on Twitter, and not shy about their future objectives, or their present conquests. Here's sample from their Twitter page https://twitter.comLulzSec:

LulzSec The Lulz Boat
Hey @PBS admins, you still trying to regain control? The Lulz Boat sails through your horrendously-outdated kernels! #Sownage next, folks.
5 hours ago Favorite Retweet Reply

LulzSec The Lulz Boat
Sony happens when Sony happens - we're celebrating our victory right now. The fun will never stop!
6 hours ago Favorite Retweet Reply

LulzSec The Lulz Boat
We dominate their entire stupid website. Selling custom blog.pbs.org domains, php/user included, lulzsec@hushmail.com - 2 BitCoins each!
6 hours ago Favorite Retweet Reply

LulzSec The Lulz Boat
Oh yes, that's right... #Sownage tomorrow. We hope. We decided to obliterate @PBS instead out of distraction. *heads off to the Lulz Cabin*
9 hours ago Favorite Retweet Reply

LulzSec The Lulz Boat
@
@ShiverMeTimbres PBS can't recover much, all their base are belong to us. They only broke the file that lets you read articles.
11 hours ago Favorite Retweet Reply


LulzSec The Lulz Boat
We're working on another Sony operation. We've condensed all our excited tweets into this one: this is the beginning of the end for Sony.
26 May Favorite Retweet Reply

As of this writing, it looks like PBS has regained control of the articles section of website: http://www.pbs.org/newshour/rundown/a and Newshour reports on Twitter:

FYI: None of our visitors' personal information or emails were compromised during last night's incident ^TG

But LulzSec says that's the only part that PBS controls, so while all may seem OK, it's not. The PBS website is still largely under LulzSec's control, according to LulzSec.

(An observation: what's good about Twitter, is that PBS Newshour was able to use it not just to report the hack, but to explain the false Tupac news.)

Chester Wisniewski's Annoying Blog Post.

A network security specialist named Chester Wisniewski posted a rather annoying blog entry at his Naked Security blog site. This set of paragraphs Mr. Wisniewski wrote below was particularly troublesome to this blogger:


While PBS is the victim here, the passwords disclosed for most affiliates are embarrassingly predictable.


There was absolutely no skill involved in this attack, as it used freely available tools to exploit the databases. The attackers represent nothing more than what many historically thought of as hackers: people creating chaos with no other purpose than gaining fame, irrespective of the damage caused.


The attack is nearly identical to the recent attack against SonyMusic.co.jp. LulzSec used the same tool to attack the Sony website, although far less sensitive information was disclosed in the Sony attack.


Several other databases were disclosed, some including plain text passwords, others using hashes. It is unfortunate that PBS was vulnerable to this kind of attack and even worse that so many passwords were stored in clear text. Revealing this information is criminal and there are certainly more respectable ways of disclosing flaws than exposing so many users' passwords.


To write that there was "absolutely no skill involved in this attack" is nothing more than one programmer dissing another, and helping no one. The fact is, LulzSec did it, and is ways that aren't familiar to the general public. That makes them what? A specialist with a skill - a dangerous and effective one that impacts millions of people.

If what LulzSec did called for "no skill" then Chester Wisniewski should have posted the mathods to fix the gaps in their website security. He did not do that. If the problem is an SQL injection flaw, which is how LulzSec entered both the PBS and Sony website systems, then why not show how to spot the problem and fix it - as I did here, noting Steve Friedl's website

Facebook, Twitter, Safe

That LulzSec was able to easily hack into the websites of large, traditional brands, means that new media companies with far more secure website systems are safe, specifically Facebook, YouTube, and Twitter, to name some of them.

The point of all this really should be to work with Internet entrepreneurs who build large, database-driven website companies, and not just any programmer on the block, in developing website protection systems that are extremely secure.  As LulzSec claims, "no one is safe" and that may be,  but you can make your website more safe than the next website.

Stay tuned. 

















0 comments:

Post a Comment

Blog Archive