Attacks/Breaches
6/6/2011
12:58 PM
50%
50%

LulzSec Hackers Hit Nintendo, FBI Affiliate Websites

Sony's developer network source code was also released by the group, which allegedly attempted to extort a security researcher for botnet information.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
It's been a busy couple of weeks for the hacking group known as LulzSec, aka the Lulz Boat.

On Friday, LulzSec said in a statement that its members had exploited the website of the Atlanta chapter of InfraGard, a private, non-profit organization that exists to serve as a public/private partnership with the FBI. LulzSec also posted 180 member usernames and passwords gleaned from the attack, and said it deleted all information stored on the website. As of press time, the website resolved to a page listing it as being "under construction."

LulzSec is the same outfit that recently defaced the PBS website, posting fake news. More recently, the group hacked into a Sony Pictures Entertainment website, exposing one million passwords.

Meanwhile, on Sunday, the group said on its Twitter feed that it had exploited the Nintendo website, but chose to only steal a configuration file. It also said that Nintendo had already fixed the vulnerability it exploited to gain access to the website.

That same day, Nintendo released a statement saying that the breached website contained no customer data, and that no customer data had been stolen. Nintendo was not available for immediate comment about its response to the attacks.

On Monday, adding to its list of exploits, LulzSec released a compressed, 58-MB file, which it says contains the source code for the Sony Computer Entertainment Developer Network. It also promised to throw "more Sony booty overboard soon!" That apparently referred, at least for starters, to the "internal network maps of Sony BMG," which the group released shortly thereafter.

The group also released numerous work and private emails for a security entrepreneur. It obtained access to his email accounts via its hack of the Atlanta InfraGard chapter's website, in which it stole passwords that it then found were reused across multiple sites. As a result, the group said it was able to access both the business and personal Gmail accounts for Atlanta InfraGard member Karim Hijazi, a security consultant who's CEO and president of botnet monitoring startup firm Unveillance, and formerly the principal of security firm Demiurge Consulting.

Based on Hijazi's emails, LulzSec alleged that "we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya's cyber infrastructure."

LulzSec appears to be referring to a report to which Unveillance contributed information, called "Project Cyber Dawn Libya." The report was co-written by 21 people and released by the Cybersecurity Forum Initiative (CSFI), which appears to be an ad hoc group of cyber warfare devotees.

According to CSFI, the report examines Libya's current "cyber warfare capabilities and defenses," and is intended to "help the international community to understand not only Libya's potential to influence the balance in cyberspace, but also the physical repercussions of cyber-attacks originating from, and directed towards Libya."

Via BitTorrent, LulzSec also released a large quantity of Hijazi's emails. (If Hijazi failed to vary his password for different websites, in those emails he did at least appear to make regular use of PGP to encrypt his business communications--and LulzSec doesn't seem to have cracked those messages.) The group also released an IRC chat transcript that it said occurred between various members of its group and Hijazi. In that chat, said LulzSec, Hijazi "offered to pay us to eliminate his competitors through illegal hacking means in return for our silence."

But was one side just playing the other?

Hijazi, on Friday, fired back at the group in a statement, alleging that over a two-week period, LulzSec members tried to extort information and money from him in exchange for not releasing his emails. According to an IRC chat transcript referenced by Hijazi, a member of LulzSec tells him, "Don't think of it as extortion ... consider it a partership (sic)."

"In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities," said Hijazi.

"Because of this, they followed through in their threats--and attacked me, my business, and my personal reputation. I believe this incident shows the true nature of LulzSec," he said.

In response to Hijazi's statement, meanwhile, LulzSec said that its extortion attempt was a ruse. "To clarify: it was not our goal to extort anything from ... we were merely testing if he would fold or not," it said in a Twitter post on Saturday. According to another statement released by the group, "naturally we were just stringing him along to further expose the corruption of whitehats."

But in its chat transcripts with Hijazi, LulzSec does seem to be seeking data related to botnets, and in particular Mariposa. Asked by Hijazi what their intentions are for the data, one LulzSec member with the handle "Espeon" replied, "We like botnets, we like data ... we like crushing things; we like inside information."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report