Lulz? Sony hackers deny responsibility for misuse of leaked data
Hackers from Lulz Security ("LulzSec") broke into Sony Pictures servers, grabbed one million user accounts and plaintext passwords, then released a large sample of this data online yesterday. The data set seen by Ars Technica included names, home addresses, passwords, and e-mail addresses—perfect for malicious exploitation, since many people reuse passwords on multiple accounts. To make matters worse, the sample that LulzSec released contained data almost exclusively on (allegedly) elderly users born in the 1920s, '30s, and '40s.
According to LulzSec, hacks using the data have already begun—but don't blame them! Releasing all these e-mail addresses and passwords was Sony's fault.
"I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere," the group wrote this morning on its Twitter account. "Hey innocent people whose data we leaked: blame @Sony."
At least some of the leaked data does appear to be accurate. We cross-checked multiple addresses in the data release with US government property records and phone records; they match the listed surnames and phone numbers, and the leaked e-mail address in turn tend to mirror the names (often including sections of the name in question, for instance). The Associated Press called around and also confirmed the accuracy of some of the leaked data. But other entries in the database are quite clearly bogus—perhaps reflecting Sony contest entrants who didn't want to provide too much personal detail or were under the legal age to enter.
Mr. LulzThis angered some people, like Twitter user H0lyPuma. "Alright @LulzSec there was no reason to publish the user accounts. hack all you want, but why punish the user? what did they do wrong?" he asked. "There is no way to justify distributing user accounts. This could fuck these people up for a long time."
Not that LulzSec cares. Its mascot wears a monocle and hoists a glass of wine in a rakish manner; its Twitter feed tells people, "You sir are sorely deluded if you think we're whitehat" and describes the group as "a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials."
In the group's IRC chatroom, the same lulz-loving, responsibility-free attitude prevails. When reporter Nick Deleon showed up to request an interview this morning, he got this:
[Reporter]: hi folks. so this is going to sound silly, but i'm
a reporter (the daily, the new ipad newspaper-thing) in new york
and i'm wondering if anyone here would like to talk about
the sony situation
[LulzSec member]: sure. in which hole of yours would you
prefer i stick my penis?
[Reporter]: if i have a choice in the matter, no hole would be preferable
The group even has a jolly pirate song, familiar to those who grew up watching Loveboat.
Lulz, exciting and new,
come aboard, we're expecting you.
Lulz, life's sweetest reward,
let it flow, it floats back to you.
The Lulz Boat soon will be making another run
The Lulz Boat promises something for everyone.
Set a course for adventure,
your mind on a new romance.
Lulz won't hurt anymore,
it's an open smile on a friendly shore.
Yes LULZ! Welcome aboard: it's LULZ!
And so the Lulz Boat sails on. In its chat room, group members probe various government websites looking for common security flaws (the Sony Pictures hack used a basic SQL injection), joke about being Aaron Barr, and compare notes on obfuscating IP addresses. Apart from Twitter, however, the group has far less interest in chatting with reporters.
"Pl0x dont post all teh sploits [exploits] on your report k?" one LulzSec user told Deleon. "And we won't use your DNS against you ;)"
"Gtfo, fucking media bullshit," added another.
"Lol. A reporter," added a third. "The twitter is all you're getting."
Photo illustration by Aurich Lawson
Shameless Screen Grab courtesy of Ars Technica 
Lulz? Sony hackers deny responsibility for misuse of leaked data
Hackers from Lulz Security ("LulzSec") broke into Sony Pictures servers, grabbed one million user accounts and plaintext passwords, then released a large sample of this data online yesterday. The data set seen by Ars Technica included names, home addresses, passwords, and e-mail addresses—perfect for malicious exploitation, since many people reuse passwords on multiple accounts. To make matters worse, the sample that LulzSec released contained data almost exclusively on (allegedly) elderly users born in the 1920s, '30s, and '40s.
According to LulzSec, hacks using the data have already begun—but don't blame them! Releasing all these e-mail addresses and passwords was Sony's fault.
"I hear there's been some funny scamming with jacked Sony accounts. That's what you get for using the same password everywhere," the group wrote this morning on its Twitter account. "Hey innocent people whose data we leaked: blame @Sony."
At least some of the leaked data does appear to be accurate. We cross-checked multiple addresses in the data release with US government property records and phone records; they match the listed surnames and phone numbers, and the leaked e-mail address in turn tend to mirror the names (often including sections of the name in question, for instance). The Associated Press called around and also confirmed the accuracy of some of the leaked data. But other entries in the database are quite clearly bogus—perhaps reflecting Sony contest entrants who didn't want to provide too much personal detail or were under the legal age to enter.
Mr. Lulz
Not that LulzSec cares. Its mascot wears a monocle and hoists a glass of wine in a rakish manner; its Twitter feed tells people, "You sir are sorely deluded if you think we're whitehat" and describes the group as "a team of entertainment and security experts that specialise in the production of malicious comedic cybermaterials."
In the group's IRC chatroom, the same lulz-loving, responsibility-free attitude prevails. When reporter Nick Deleon showed up to request an interview this morning, he got this:
[Reporter]: hi folks. so this is going to sound silly, but i'm
a reporter (the daily, the new ipad newspaper-thing) in new york
and i'm wondering if anyone here would like to talk about
the sony situation
[LulzSec member]: sure. in which hole of yours would you
prefer i stick my penis?
[Reporter]: if i have a choice in the matter, no hole would be preferable
The group even has a jolly pirate song, familiar to those who grew up watching Loveboat. Lulz, exciting and new,
come aboard, we're expecting you.
Lulz, life's sweetest reward,
let it flow, it floats back to you.
The Lulz Boat soon will be making another run
The Lulz Boat promises something for everyone.
Set a course for adventure,
your mind on a new romance.
Lulz won't hurt anymore,
it's an open smile on a friendly shore.
Yes LULZ! Welcome aboard: it's LULZ!
And so the Lulz Boat sails on. In its chat room, group members probe various government websites looking for common security flaws (the Sony Pictures hack used a basic SQL injection), joke about being Aaron Barr, and compare notes on obfuscating IP addresses. Apart from Twitter, however, the group has far less interest in chatting with reporters."Pl0x dont post all teh sploits [exploits] on your report k?" one LulzSec user told Deleon. "And we won't use your DNS against you ;)"
"Gtfo, fucking media bullshit," added another.
"Lol. A reporter," added a third. "The twitter is all you're getting."
Photo illustration by Aurich Lawson
Shameless Screen Grab courtesy of Ars Technica
Sony hacked yet again, plaintext passwords, e-mails, DOB posted
I've lost count of how many times Sony's online properties have been hacked now—I just don't have that many fingers—but it's happened again. Databases used to operate sonypictures.com, sonybmg.nl, and sonybmg.be have been compromised by a group calling itself Lulz Security, or LulzSec for short. This is the same group that earlier in the week hacked PBS's servers in retaliation for a documentary felt to be critical of Wikileaks; they also hacked sonymusic.co.jp last week.
Just as was the case with the sonymusic.gr hack and LulzSec's sonymusic.co.jp hack, the latest hack was performed using SQL injection: a rudimentary technique that depends on improper handling of website URLs. Being susceptible to SQL injection is embarrassing enough—techniques to prevent it are well-known, and easy to apply to any database-driven website—but what makes this hack even worse is the data that has been compromised.
The hackers retrieved account information from the database. They claim there are more than a million accounts in total; their BitTorrented dump just contained a sample. The database contained information about a variety of different account types, apparently related to different promotions and features operated by the company. Different sets of accounts, but with one major feature in common: they included plaintext passwords. Anyone who can read the database can read the passwords. And given that password reuse is rampant—many, many people use the same passwords for websites as they do their e-mail or online banking—many of those who have had their Sony accounts compromised now risk having their e-mail accounts attacked.
Some accounts also included names, phone numbers and full postal addresses.
At some point, one has to imagine that Sony will realize that it's a major target for hackers and it will wise up and fix its multitudinous broken Web applications. Until then, Lulz Security's "Lulz Boat" will continue to find rich plunder wherever it sails.
Shameless Screen Grab courtesy of Ars Technica
Just as was the case with the sonymusic.gr hack and LulzSec's sonymusic.co.jp hack, the latest hack was performed using SQL injection: a rudimentary technique that depends on improper handling of website URLs. Being susceptible to SQL injection is embarrassing enough—techniques to prevent it are well-known, and easy to apply to any database-driven website—but what makes this hack even worse is the data that has been compromised.
The hackers retrieved account information from the database. They claim there are more than a million accounts in total; their BitTorrented dump just contained a sample. The database contained information about a variety of different account types, apparently related to different promotions and features operated by the company. Different sets of accounts, but with one major feature in common: they included plaintext passwords. Anyone who can read the database can read the passwords. And given that password reuse is rampant—many, many people use the same passwords for websites as they do their e-mail or online banking—many of those who have had their Sony accounts compromised now risk having their e-mail accounts attacked.
Some accounts also included names, phone numbers and full postal addresses.
At some point, one has to imagine that Sony will realize that it's a major target for hackers and it will wise up and fix its multitudinous broken Web applications. Until then, Lulz Security's "Lulz Boat" will continue to find rich plunder wherever it sails.
Shameless Screen Grab courtesy of Ars Technica
No comments:
Post a Comment