Attacks/Breaches
6/6/2011
12:58 PM
Connect Directly
RSS
E-Mail
50%
50%

LulzSec Hackers Hit Nintendo, FBI Affiliate Websites

Sony's developer network source code was also released by the group, which allegedly attempted to extort a security researcher for botnet information.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
It's been a busy couple of weeks for the hacking group known as LulzSec, aka the Lulz Boat.

On Friday, LulzSec said in a statement that its members had exploited the website of the Atlanta chapter of InfraGard, a private, non-profit organization that exists to serve as a public/private partnership with the FBI. LulzSec also posted 180 member usernames and passwords gleaned from the attack, and said it deleted all information stored on the website. As of press time, the website resolved to a page listing it as being "under construction."

LulzSec is the same outfit that recently defaced the PBS website, posting fake news. More recently, the group hacked into a Sony Pictures Entertainment website, exposing one million passwords.

Meanwhile, on Sunday, the group said on its Twitter feed that it had exploited the Nintendo website, but chose to only steal a configuration file. It also said that Nintendo had already fixed the vulnerability it exploited to gain access to the website.

That same day, Nintendo released a statement saying that the breached website contained no customer data, and that no customer data had been stolen. Nintendo was not available for immediate comment about its response to the attacks.

On Monday, adding to its list of exploits, LulzSec released a compressed, 58-MB file, which it says contains the source code for the Sony Computer Entertainment Developer Network. It also promised to throw "more Sony booty overboard soon!" That apparently referred, at least for starters, to the "internal network maps of Sony BMG," which the group released shortly thereafter.

The group also released numerous work and private emails for a security entrepreneur. It obtained access to his email accounts via its hack of the Atlanta InfraGard chapter's website, in which it stole passwords that it then found were reused across multiple sites. As a result, the group said it was able to access both the business and personal Gmail accounts for Atlanta InfraGard member Karim Hijazi, a security consultant who's CEO and president of botnet monitoring startup firm Unveillance, and formerly the principal of security firm Demiurge Consulting.

Based on Hijazi's emails, LulzSec alleged that "we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya's cyber infrastructure."

LulzSec appears to be referring to a report to which Unveillance contributed information, called "Project Cyber Dawn Libya." The report was co-written by 21 people and released by the Cybersecurity Forum Initiative (CSFI), which appears to be an ad hoc group of cyber warfare devotees.

According to CSFI, the report examines Libya's current "cyber warfare capabilities and defenses," and is intended to "help the international community to understand not only Libya's potential to influence the balance in cyberspace, but also the physical repercussions of cyber-attacks originating from, and directed towards Libya."

Via BitTorrent, LulzSec also released a large quantity of Hijazi's emails. (If Hijazi failed to vary his password for different websites, in those emails he did at least appear to make regular use of PGP to encrypt his business communications--and LulzSec doesn't seem to have cracked those messages.) The group also released an IRC chat transcript that it said occurred between various members of its group and Hijazi. In that chat, said LulzSec, Hijazi "offered to pay us to eliminate his competitors through illegal hacking means in return for our silence."

But was one side just playing the other?

Hijazi, on Friday, fired back at the group in a statement, alleging that over a two-week period, LulzSec members tried to extort information and money from him in exchange for not releasing his emails. According to an IRC chat transcript referenced by Hijazi, a member of LulzSec tells him, "Don't think of it as extortion ... consider it a partership (sic)."

"In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities," said Hijazi.

"Because of this, they followed through in their threats--and attacked me, my business, and my personal reputation. I believe this incident shows the true nature of LulzSec," he said.

In response to Hijazi's statement, meanwhile, LulzSec said that its extortion attempt was a ruse. "To clarify: it was not our goal to extort anything from ... we were merely testing if he would fold or not," it said in a Twitter post on Saturday. According to another statement released by the group, "naturally we were just stringing him along to further expose the corruption of whitehats."

But in its chat transcripts with Hijazi, LulzSec does seem to be seeking data related to botnets, and in particular Mariposa. Asked by Hijazi what their intentions are for the data, one LulzSec member with the handle "Espeon" replied, "We like botnets, we like data ... we like crushing things; we like inside information."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3541
Published: 2014-07-29
The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on.

CVE-2014-3542
Published: 2014-07-29
mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Best of the Web
Dark Reading Radio