Sony's developer network source code was also released by the group, which allegedly attempted to extort a security researcher for botnet information.

Mathew J. Schwartz, Contributor

June 6, 2011

5 Min Read

10 Massive Security Breaches

10 Massive Security Breaches


(click image for larger view)
Slideshow: 10 Massive Security Breaches

It's been a busy couple of weeks for the hacking group known as LulzSec, aka the Lulz Boat.

On Friday, LulzSec said in a statement that its members had exploited the website of the Atlanta chapter of InfraGard, a private, non-profit organization that exists to serve as a public/private partnership with the FBI. LulzSec also posted 180 member usernames and passwords gleaned from the attack, and said it deleted all information stored on the website. As of press time, the website resolved to a page listing it as being "under construction."

LulzSec is the same outfit that recently defaced the PBS website, posting fake news. More recently, the group hacked into a Sony Pictures Entertainment website, exposing one million passwords.

Meanwhile, on Sunday, the group said on its Twitter feed that it had exploited the Nintendo website, but chose to only steal a configuration file. It also said that Nintendo had already fixed the vulnerability it exploited to gain access to the website.

That same day, Nintendo released a statement saying that the breached website contained no customer data, and that no customer data had been stolen. Nintendo was not available for immediate comment about its response to the attacks.

On Monday, adding to its list of exploits, LulzSec released a compressed, 58-MB file, which it says contains the source code for the Sony Computer Entertainment Developer Network. It also promised to throw "more Sony booty overboard soon!" That apparently referred, at least for starters, to the "internal network maps of Sony BMG," which the group released shortly thereafter.

The group also released numerous work and private emails for a security entrepreneur. It obtained access to his email accounts via its hack of the Atlanta InfraGard chapter's website, in which it stole passwords that it then found were reused across multiple sites. As a result, the group said it was able to access both the business and personal Gmail accounts for Atlanta InfraGard member Karim Hijazi, a security consultant who's CEO and president of botnet monitoring startup firm Unveillance, and formerly the principal of security firm Demiurge Consulting.

Based on Hijazi's emails, LulzSec alleged that "we have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means: the U.S. government is funding the CSFI to attack Libya's cyber infrastructure."

LulzSec appears to be referring to a report to which Unveillance contributed information, called "Project Cyber Dawn Libya." The report was co-written by 21 people and released by the Cybersecurity Forum Initiative (CSFI), which appears to be an ad hoc group of cyber warfare devotees.

According to CSFI, the report examines Libya's current "cyber warfare capabilities and defenses," and is intended to "help the international community to understand not only Libya's potential to influence the balance in cyberspace, but also the physical repercussions of cyber-attacks originating from, and directed towards Libya."

Via BitTorrent, LulzSec also released a large quantity of Hijazi's emails. (If Hijazi failed to vary his password for different websites, in those emails he did at least appear to make regular use of PGP to encrypt his business communications--and LulzSec doesn't seem to have cracked those messages.) The group also released an IRC chat transcript that it said occurred between various members of its group and Hijazi. In that chat, said LulzSec, Hijazi "offered to pay us to eliminate his competitors through illegal hacking means in return for our silence."

But was one side just playing the other?

Hijazi, on Friday, fired back at the group in a statement, alleging that over a two-week period, LulzSec members tried to extort information and money from him in exchange for not releasing his emails. According to an IRC chat transcript referenced by Hijazi, a member of LulzSec tells him, "Don't think of it as extortion ... consider it a partership (sic)."

"In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities," said Hijazi.

"Because of this, they followed through in their threats--and attacked me, my business, and my personal reputation. I believe this incident shows the true nature of LulzSec," he said.

In response to Hijazi's statement, meanwhile, LulzSec said that its extortion attempt was a ruse. "To clarify: it was not our goal to extort anything from ... we were merely testing if he would fold or not," it said in a Twitter post on Saturday. According to another statement released by the group, "naturally we were just stringing him along to further expose the corruption of whitehats."

But in its chat transcripts with Hijazi, LulzSec does seem to be seeking data related to botnets, and in particular Mariposa. Asked by Hijazi what their intentions are for the data, one LulzSec member with the handle "Espeon" replied, "We like botnets, we like data ... we like crushing things; we like inside information."

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

About the Author(s)

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights