Wednesday, July 20, 2011

News International sites taken down in LulzSec attack

 David Meyer




The hacker group LulzSec launched a major attack on the web properties of News International on Monday night, redirecting visitors to a fake story about Rupert Murdoch's death and bringing down high-profile sites.
Fake Sun homepage Murdoch
The hacker group LulzSec launched a major attack on the web properties of News International on Monday night, redirecting visitors to a fake story about Rupert Murdoch's death. Screenshot: ZDNet.com
The attack first surfaced when people trying to visit the website of the company's biggest UK tabloid, The Sun, found a mock-up of the site incorrectly reporting the death by palladium ingestion of Murdoch, the chief executive of News International's parent company, News Corporation. LulzSec, which said less than a month ago that it had disbanded, swiftly claimed responsibility on its Twitter feed.
We have owned Sun/News of the World — that story is simply phase 1 — expect the lulz to flow in coming days.
– LulzSec
Once visitors to The Sun's site had seen the fake Murdoch story, they were then redirected to the LulzSec Twitter feed. Among subsequent posts on that feed, the hacker group claimed to have brought down News International's DNS servers and 1,024 web addresses. At the time of writing on Tuesday morning, the websites of The Sun, The Times and The Sunday Times appeared to be back up and running.
"We have owned Sun/News of the World — that story is simply phase 1 — expect the lulz to flow in coming days," another of LulzSec's tweets read. Meanwhile, Sabu — a member of LulzSec and of partner hacking group Anonymous — tweeted that the hackers had also managed to get News International "emails" during the attack.
It is not clear whether the hackers have the emails themselves or just email account details, as Sabu also tweeted old account details for Rebekah Brooks, the former editor of both The Sun and the News of the World, the paper at the heart of the recent phone-hacking scandal. Brooks resigned as News International chief executive on Friday, before being arrested and bailed on Sunday over alleged phone-hacking and illicit payments to police officers.
It has been noted that the password for the email account of Rebekah Wade, as she was known at the time, appears to have been 63000 — the phone number of The Sun's news tip phone line.

 LulzSec logo
 

The vector for the attack appears to have been a server hosting the new-times.co.uk website, which News International uses as a repository for statements and microsites. According to Alex Bond, a US security researcher, the hackers managed to insert JavaScript code into The Sun's breaking news ticker, which sent visitors to LulzSec's Twitter feed via the fake news page.
Code purporting to be that used in the attack has been anonymously uploaded to Pastebin, although its provenance cannot be verified.
LulzSec started off by attacking entertainment companies such as Sony, saying that the hacks were intended to highlight lax security in such corporations. However, in its 50-day campaign during June and July, LulzSec also moved on to law enforcement agencies and other official targets. The campaign culminated in an attack on the UK's Serious Organised Crime Agency (Soca), carried out in conjunction with Anonymous under the 'AntiSec' banner.
At that point, police arrested an Essex teenager named Ryan Cleary, who has been charged with involvement in the Soca attack and others claimed by Anonymous. After Cleary's arrest, LulzSec used Twitter to chide The Sun for its coverage of the case.

Rick Fegusson sez :

 

What have hackers ever done for us? In among the painful lessons they deliver, hacking groups such as LulzSec help reinforce the importance of a number of security fundamentals, says Rik Ferguson.

In the wake of recent publicity surrounding LulzSec's 50-day hacking spree and its subsequent disbandment last weekend, businesses around the world need to begin re-examining their approach to security architecture, planning and policy.

The apparent ease with which high-profile networks such as Sony, Nintendo, Fox and many others were breached was startling and disconcerting. The success of attacks against the government, security and law-enforcement community was unexpected and extremely worrying.

In a few cases the hackers reported only that holes in network and server defences had been uncovered. But in far too many cases sensitive personal and corporate information was posted for all to see, download and abuse. In the case of the attack against the Arizona State Police, it could certainly be argued that the hackers' activity put the lives of serving officers at risk.

So, the question remains, what did the hackers ever do for us? Well, hopefully they have taught us some painful lessons.

Relatively simple hacking

As far as can be ascertained in the absence of detailed information on how many of the intrusions were perpetrated, the tools and techniques employed by LulzSec, and many other hacking groups besides, were relatively simple.
LulzSec logo
Hacking groups such as LulzSec help reinforce the importance of a number of security fundamentals. Photo credit: LulzSec

Distributed denial-of-service (DDoS) attacks brought down high-profile websites, and SQL injection attacks were the technique of choice for the theft of information. There is also strong suspicion that in at least one case one or more insiders may have been involved in the leak, rather than direct theft, of information.
The tools exist to enable companies to overcome, mitigate or simply avoid much of this low-level threat. The shame is these techniques are woefully underdeployed.

In the case of the theft of information from corporate databases, we must start with strategy and implementation. Never store sensitive data in clear text. Solid encryption would have avoided much of this damage. Regularly pen test your databases, servers and application platforms, from the inside as well as the outside. Use strong authentication if you are only serving a limited user population or if the data you are holding is particularly sensitive. Avoid cookies, which can lead to session hijacking.
Never store sensitive data in clear text. Solid encryption would have avoided much of this damage.
Bounds checking of input data helps avoid buffer overflows and SQL injection attacks. Provide access to information on a need-to-know basis and always provide it with Least Privilege. Don't give detailed error information to browsers. You don't expect your customers to debug your application, so don't give out that error message.
Enterprises should also start investing in technology that looks beyond the traditional firewall, intrusion-protection system, server and host layers on which we have historically relied. Security ideally should be run in a different context to the asset that is being secured.

Closer attention should be paid to internal network activity from the perspective of spotting anomalous behaviour such as exfiltration of large amounts of data or one compromised system being used to burrow deeper into the network.
Read this
 

Run security in a different context

The final job of any accomplished hacker is always to clear the logs and traces of activity from compromised system, to avoid detection. If the security runs in a different context, we make this task much more difficult.
Finally, we must stop building security systems from the outside in, leaving the soft chewy middle at the heart of our network. Every server and every discrete item of data should benefit from its own secure perimeter and the layered security model should be built inside out from there.

In your personal life, live every day as if it's your last. On the network, secure every asset as if it's the only one you  have,otherwise it just might be.
 

No comments:

Post a Comment