Hacking Group LulzSec's Activity Over The Weekend
LulzSec is certainly going to make a name for themselves at the rate they are going. The hacker group claims responsibility for the recent major attacks against Sony and PBS’s websites as we have written about, compromising well over an incredible number of user’s security information and exposing the poor security of both companies.
Despite having successfully orchestrated a major hack on Sony just a few days ago, they announced Friday that they had successfully infiltrated the Atlanta chapter of Infragard. For those not in the know, Infragard is an FBI affiliate. The hackers then uploaded Infragard’s user database to the internet, compromising security for the company and its affiliates. An associated company’s use of botnets was exposed as well, claims the group, and they are claiming that the documents they exposed also reveal an attempt by someone involved to pay LulzSec not to expose the breach.
LulzSec actually took complete control of Infragard’s Atlanta Chapter website, defacing it. One of their main reports was that while there were not many logins (around 180), all of them were affiliated with the FBI in one way or another.
Ironically, Infragard is a private-public partnership between the FBI and US businesses. Their business is “designed to protect IT systems from hacker attacks and other intrusions.†It would appear they are going to have to rethink their security protocols.
LulzSec really seems to be driving home the intense need for appropriate security measures to be taken by companies who are holding extremely valuable personal information for clients. One “weak link†can expose literally thousands of networks to a security breach, as was well demonstrated by their exposure of Karim Hijaz’s indiscretions when it came to his password. It must be understood that reusing passwords in several different places is frowned upon by both the FBI and Infragard handbooks and, indeed, by any person or organization concerned about security.
The attack on Infragard exposed Hijazi’s repeated use of his Infragard password in other places, including accounts of his personal business as well as his personal e-mail. Hacking one system gave them access to all of the major information Hijazi was privy to, compromising not only his own security, but that of the FBI, Infragard, his personal business, all of this clients as well as his personal activities. Particularly interesting to note is the fact that Hijazi’s personal business, “Unveillance†is a whitehat company that specializes in data breaches and botnets. LulzSec reported on their website that Karim was contacted personally by them and told all that they had done and that he purportedly offered them money in exchange for eliminating his competitors by illegal hacking means and for their silence. Supposedly they even discussed plans for him to give them insider information regarding his botnet information.
Hijazi issued a public statement shortly thereafter and is quoted here:
Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as "LulzSec." During this two week period, I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies and individuals at risk of massive Distributed Denial of Service (DDoS) attacks.
In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities.
While this author cannot vouch one way or the other for the truth of Hijazi’s or LulzSec’ claims, she can provide the last response LulzSec regarding Hijazi’s claims:
Karim compromised his entire company and the personal lives of his colleagues, then attempted to silence us with promises of financial gain and mutual benefits ... [he] used the same password for all of his online accounts and all accounts linked to a company he owns. Then he tried to bargain with hackers so his company wouldn't crumble.
Regardless of whose claims are the complete truth, one thing is for certain: LulzSec is not playing around. Companies holding vitally sensitive information would do well to make sure their security protocols are truly secure, for their own sakes as well as the sakes of the clients who trust them.
As a side note, as this article was being written, it has come out that Lulzsec has hacked Nintendo as well, though Nintendo claims that no user information has been compromised. We will update this article as more information becomes available.
Advertisement
Great stuffs… interesting to know that someone have free time to do all these things!
It seems crazy that so little is done by companies to improve the security practices especially with all the buzz around security problems lately. You would think that these companies would have learned from the Gawker and Sony incidents to start practicing better security. I know that any security can be broken with the right amount of time and skill, but there are some things that can be done to reduce the damage such as having different passwords for different accounts or not storing sensitive info in plain text. I don’t know if I should be angry at LulzSec, Anonymous, and other groups for exposing these security issues or happy that they’re making people more and more aware of the problems with their current security practices so that we can improve them.