LulzSec, the hacker group behind the recent attacks against Sony Pictures and PBS, said that it had struck again, this time at a small affiliate of the Federal Bureau of Investigation.
The FBI affiliate targeted in LulzSec’s latest cyber attack, InfraGard, is an Atlanta, Ga.-based non-profit organization that serves as an information liaison between the private sector and law enforcement, with a mission to protect against hostile threats to the U.S.
LulzSec said that the attack was in response to the U.S. government’s recent declaration that it would treat hacking as an act of war.
“It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated Web site and leaked its user base,” LulzSec said in a Pastebin.org blog.
As in its previous attacks, LulzSec exposed InfraGard e-mail, login credentials and other personally identifying information for about 180 employees, all of which were connected to the FBI in some way, the group said in the Pastebin blogpost.
The hackers also maintained that many of the 180 employees re-used their InfraGard passwords for other accounts, “which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too,” LulzSec said.
The group said that, as in previous hacks, it defaced the organization's Web site. As of Monday afternoon, InfraGard’s Web site appeared to be down with a message stating that the site was under construction as the future home for the Atlanta InfraGard Member's Alliance.
The hacking group had made headlines in recent weeks with a series of attacks against a range of targets, including Sony Pictures and PBS.
Last month, LulzSec boasted that it broke into PBS’s Web site and exposed sensitive information in response to a show it aired critical of WikiLeaks and the suspected whistleblower Bradley Manning.
LulzSec’s retaliation efforts included publishing the usernames and hashed passwords for PBS Web site users and administrators, as well as login information and plain-text passwords for PBS affiliate television stations. The group also defaced the PBS.org Web site with a statement that read “All your base are belong to LulzSec” coupled with a fake story that indicating that deceased rapper Tupac Shakur, killed in 1996, was actually alive and living in New Zealand.
Most recently, LulzSec targeted Sony Pictures, posting a sampling of personal data from a pool of 1 million compromised customer accounts. The hacker group said in a Pastebin.com blog post that they expoited a security vulnerability on the Sony Pictures Web site with an SQL injection attack.
Altogether, the hackers said that they accessed personally identifying information, including passwords, e-mail addresses, home addresses, dates of birth and Sony associated opt-in data, as well as 75,000 "music codes" and 3.5 million music coupons.
Security solution providers contend that the string of LulzSec attacks highlights the pervasiveness of security vulnerabilities within the networks of most organizations.
Next: LulzSec Attacks Underscore Poor Security Posture“(The Sony and PBS hacks) were a simple injection that allowed them to access the entire system. From that point, it's the responsibility of the organization,” said Koji Mori, director of network services at Torrance, Calif.-based CalSoft Systems. “They failed to lock their front door. If you do that, somebody is going to walk in. You can’t do that in this day and age. That was a complete failure on the part of whoever was providing the infrastructure.”
Aaron Titus, chief privacy officer for Identity Finder, echoed that the spate of recent attacks all exploited easily preventable security flaws.
“SQL injection, that’s Web 101. The fact that this is still a problem is, quite frankly, embarrassing,” Titus said, adding that many organizations fail to have a comprehensive policy that places security as a priority because they either don’t perceive breaches as high risk or understand the ROI associated with prevention.
“In each of these cases, the sites were not very difficult to hack. These were very, very easy to prevent. But it has to be a corporate policy and corporate priority to do so,” he said. “Drawing that line back to the company is very difficult or impossible. The risks associated with breaches have traditionally been very, very low.”
Titus said that the string of attacks also indicated a comprehensive lack of user education -- even at the FBI level -- regarding best security practices, primarily regarding strong passwords.
On the flip side, Titus said that the highly publicized attacks could possibly produce a positive outcome by raising public awareness and provoking internal change within the FBI, Sony and elsewhere.
“It’s an embarrassment for the FBI affiliate. I don’t know whether it should be an embarrassment for the FBI. But I can almost guarantee there are high level conversations going on right now,” he said. “For better worse it is having an effect. These are important conversations to have. I don’t agree with (LulzSec’s) tactics. I hope that the positive outcome outweighs the negative collateral damage that they cause.”
However, Mori said that the series of attacks has failed to prompt many organizations, including his customers, to take immediate action to enhance their security posture.
“Organizations view high profile attacks with the attitude, 'It can never happen to me.’ It’s very difficult to get people to really sense the urgency. When things like this happen the security industry has always said ‘it could happen to you,’” Mori said. “How do you address that? Unfortunately, it’s just human nature. Nobody wants to think that they’re going to be next.”