LulzSec is an Internet hacking group that targets web sites and Internet servers instead of retail software. These are high profile sites like the Senate, the FBI, European and South American government sites, and Bethesda Softworks, the creators of the popular Fallout games. The ‘why’ is self-proclaimed – they have no political or social agenda – they do it “for the lulz”; which is to say, they hack for the sheer amusement of it all. The more compelling question is how? How is it even possible to hack a site operated by secured organizations like the FBI?
What is a hacker?
The 90's cult classic film “Hackers” got a lot wrong, but some of it was accurate. Nowhere in the movie do they mention a "www" or a ".com" because hackers aren't necessarily people who attack web sites. The short definition of hacker is someone who uses technical knowledge to exploit design flaws in existing technology. More often than not this means using programming skills to exploit security flaws in supposedly secure servers hosting web sites and databases. In the case of Bethesda, LulzSec was (somewhat) straightforward about their methods. LulzSec walked away from the Bethesda servers with a wealth of information and, in a move right out of USA's Burn Notice episode Entry Point, uploaded that information to a foreign hosted bit torrent aggregate
The Pirate Bay. In the description of the torrent dated July 13, 2011 LuzSec wrote:
“Some weeks ago, we smashed into Brink with our heavy artillery Lulz Cannons and decided to switch to ninja mode. From our LFI entry point, we acquired command execution via local file inclusion of enemy fleet Apache vessel. We then found that the HTTPD had SSH auth keys, which let our ship SSH into other servers. See where this is going?
We then switched to root ammunition rounds. And we rooted... and rooted... and rooted...
After mapping their internal network and thoroughly pillaging all of their servers, we grabbed all their source code and database passwords, which we proceeded to shift silently back to our storage deck.”
Explaining LulzSec's statements
Translating the pirate slang the post means they began by targeting the servers for Brink, a recently released game developed by one of Bethesda subsidiaries, with a brute force attack to gain access to Brink's servers. From there they switched to using Local File Inclusion tactics. Local File Inclusion takes advantage of poorly written code which will run arbitrary files.
Neophasis, a security blog, provides a post on how to defend against and execute an attack via local file inclusion, stating: [placing a file on the server] can be an interesting puzzle as it is almost a case of chicken before the egg. To gain access to the remote system we need the ability to create a file on the remote system. The first possibility, and by far the simplest, is to look at the features provided by the application we are attacking. For example, many local inclusion exploits use features such as custom avatars and file storage mechanisms to place code on the target system.
Regardless of how it gets there, once the file is on the server its takes advantage of sloppy code to tell it to run whatever code or files the hacker pleases, usually by exploiting loose variables. Incidentally, Neophasis' 2008 blog post on LFI also states: A simple check for non-alphanumeric characters would suffice...
LFI vulnerabilities are a known, and generally easily avoided, phenomena. LulzSec proceeded to own Brink's apache run servers, gaining access to authorization keys which allowed them further access to the servers. From there it was an easy task to take what info they pleased, including their source code, database, user passwords and then they left the servers.
LulzSec exploited an existing vulnerability in Brink's servers, piggybacking various methods to ultimately have complete and unfettered access. A similar vulnerability helped them
access the servers of the FBI earlier in the month. They used an
SQL injection, a method considered “out of date” by many programmers (hackers), to root through the FBI servers and come away with a “chest full of booty”, or proof that they'd been there. That the FBI servers were vulnerable to a technique that was outdated over a decade ago should be a concern to many. One wonders what kind of damage LulzSec could do if they actually had a political agenda.
What about that Hacking War?
These attacks made headlines when a supposed “war” with Anonymous broke out via twitter and LulzSec used similar methods to down several game servers. While it appears some sparks flew between the two groups, both offshoots of 4Chan.org, from several telling tweets, it appears that the “war” was exaggerated in the media. Both groups maintained they were not at war.
Anonymous, received their most mainstream attention to date during the so called “information wars” when they attacked paypal and several credit card companies in the name of WikiLeaks. At the time the tactics used by Anonymous were primitive, a simple DdoS attack via LOIC which required no specific skill or knowledge, simply numbers. After the “information wars” many news sources (including
Questional) questioned Anonymous' ability to mount a serious attack with such low-tech methods. One wonders if LulzSec is the answer to that question. While LulzSec is not Anonymous, and Anonymous is not 4Chan, they share the same lingo, memes and were both borne in some way from the parent site 4chan.org.
Questional Question:
Who did LulzSec hack today? #antisec
There are no comments. Get the conversation started!
